aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* SELinux: Enable dynamic enable/disable of the network access checksPaul Moore2008-01-29
| | | | | | | | | | | | | | | | | | | | | | This patch introduces a mechanism for checking when labeled IPsec or SECMARK are in use by keeping introducing a configuration reference counter for each subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry is created the labeled IPsec/XFRM reference count is increased and when the entry is removed it is decreased. In the case of SECMARK, when a SECMARK target is created the reference count is increased and later decreased when the target is removed. These reference counters allow SELinux to quickly determine if either of these subsystems are enabled. NetLabel already has a similar mechanism which provides the netlbl_enabled() function. This patch also renames the selinux_relabel_packet_permission() function to selinux_secmark_relabel_packet_permission() as the original name and description were misleading in that they referenced a single packet label which is not the case. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Better integration between peer labeling subsystemsPaul Moore2008-01-29
| | | | | | | | | | | | | Rework the handling of network peer labels so that the different peer labeling subsystems work better together. This includes moving both subsystems to a single "peer" object class which involves not only changes to the permission checks but an improved method of consolidating multiple packet peer labels. As part of this work the inbound packet permission check code has been heavily modified to handle both the old and new behavior in as sane a fashion as possible. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Add a new peer class and permissions to the Flask definitionsPaul Moore2008-01-29
| | | | | | | | | | Add additional Flask definitions to support the new "peer" object class and additional permissions to the netif, node, and packet object classes. Also, bring the kernel Flask definitions up to date with the Fedora SELinux policies by adding the "flow_in" and "flow_out" permissions to the "packet" class. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Add a capabilities bitmap to SELinux policy version 22Paul Moore2008-01-29
| | | | | | | | | Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap will enable the security server to query the policy to determine which features it supports. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Add a network node caching mechanism similar to the sel_netif_*() ↵Paul Moore2008-01-29
| | | | | | | | | | | | | functions This patch adds a SELinux IP address/node SID caching mechanism similar to the sel_netif_*() functions. The node SID queries in the SELinux hooks files are also modified to take advantage of this new functionality. In addition, remove the address length information from the sk_buff parsing routines as it is redundant since we already have the address family. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Only store the network interface's ifindexPaul Moore2008-01-29
| | | | | | | | | | Instead of storing the packet's network interface name store the ifindex. This allows us to defer the need to lookup the net_device structure until the audit record is generated meaning that in the majority of cases we never need to bother with this at all. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Convert the netif code to use ifindex valuesPaul Moore2008-01-29
| | | | | | | | | | | | The current SELinux netif code requires the caller have a valid net_device struct pointer to lookup network interface information. However, we don't always have a valid net_device pointer so convert the netif code to use the ifindex values we always have as part of the sk_buff. This patch also removes the default message SID from the network interface record, it is not being used and therefore is "dead code". Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Add IP address family information to the netlbl_skbuff_getattr() ↵Paul Moore2008-01-29
| | | | | | | | | | | | function In order to do any sort of IP header inspection of incoming packets we need to know which address family, AF_INET/AF_INET6/etc., it belongs to and since the sk_buff structure does not store this information we need to pass along the address family separate from the packet itself. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Add secid token support to the NetLabel secattr structPaul Moore2008-01-29
| | | | | | | | | | | This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Consolidate the LSM domain mapping/hashing locksPaul Moore2008-01-29
| | | | | | | | | | | Currently we use two separate spinlocks to protect both the hash/mapping table and the default entry. This could be considered a bit foolish because it adds complexity without offering any real performance advantage. This patch removes the dedicated default spinlock and protects the default entry with the hash/mapping table spinlock. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Cleanup the LSM domain hash functionsPaul Moore2008-01-29
| | | | | | | | | | The NetLabel/LSM domain hash table search function used an argument to specify if the default entry should be returned if an exact match couldn't be found in the hash table. This is a bit against the kernel's style so make two separate functions to represent the separate behaviors. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Remove unneeded RCU read locksPaul Moore2008-01-29
| | | | | | | | | | This patch removes some unneeded RCU read locks as we can treat the reads as "safe" even without RCU. It also converts the NetLabel configuration refcount from a spinlock protected u32 into atomic_t to be more consistent with the rest of the kernel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.25Linus Torvalds2008-01-29
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.25: (1470 commits) [IPV6] ADDRLABEL: Fix double free on label deletion. [PPP]: Sparse warning fixes. [IPV4] fib_trie: remove unneeded NULL check [IPV4] fib_trie: More whitespace cleanup. [NET_SCHED]: Use nla_policy for attribute validation in ematches [NET_SCHED]: Use nla_policy for attribute validation in actions [NET_SCHED]: Use nla_policy for attribute validation in classifiers [NET_SCHED]: Use nla_policy for attribute validation in packet schedulers [NET_SCHED]: sch_api: introduce constant for rate table size [NET_SCHED]: Use typeful attribute parsing helpers [NET_SCHED]: Use typeful attribute construction helpers [NET_SCHED]: Use NLA_PUT_STRING for string dumping [NET_SCHED]: Use nla_nest_start/nla_nest_end [NET_SCHED]: Propagate nla_parse return value [NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_get [NET_SCHED]: act_api: use nlmsg_parse [NET_SCHED]: act_api: fix netlink API conversion bug [NET_SCHED]: sch_netem: use nla_parse_nested_compat [NET_SCHED]: sch_atm: fix format string warning [NETNS]: Add namespace for ICMP replying code. ...
| * [IPV6] ADDRLABEL: Fix double free on label deletion.YOSHIFUJI Hideaki2008-01-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If an entry is being deleted because it has only one reference, we immediately delete it and blindly register the rcu handler for it, This results in oops by double freeing that object. This patch fixes it by consolidating the code paths for the deletion; let its rcu handler delete the object if it has no more reference. Bug was found by Mitsuru Chinen <mitch@linux.vnet.ibm.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [PPP]: Sparse warning fixes.Stephen Hemminger2008-01-28
| | | | | | | | | | | | | | | | | | Fix a bunch of warnings in PPP and related drivers. Mostly because sparse doesn't like it when the the function is only marked private in the forward declaration. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4] fib_trie: remove unneeded NULL checkStephen Hemminger2008-01-28
| | | | | | | | | | | | | | | | Since fib_route_seq_show now uses hlist_for_each_entry(), the leaf info can not be NULL. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4] fib_trie: More whitespace cleanup.Stephen Hemminger2008-01-28
| | | | | | | | | | | | | | Remove extra blank lines. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use nla_policy for attribute validation in ematchesPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use nla_policy for attribute validation in actionsPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use nla_policy for attribute validation in classifiersPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use nla_policy for attribute validation in packet schedulersPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: sch_api: introduce constant for rate table sizePatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use typeful attribute parsing helpersPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use typeful attribute construction helpersPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use NLA_PUT_STRING for string dumpingPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Use nla_nest_start/nla_nest_endPatrick McHardy2008-01-28
| | | | | | | | | | | | | | Use nla_nest_start/nla_nest_end for dumping nested attributes. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Propagate nla_parse return valuePatrick McHardy2008-01-28
| | | | | | | | | | | | | | | | nla_parse() returns more detailed errno codes, propagate them back on error. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_getPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: act_api: use nlmsg_parsePatrick McHardy2008-01-28
| | | | | | | | | | | | | | Convert open-coded nlmsg_parse to use the real function. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: act_api: fix netlink API conversion bugPatrick McHardy2008-01-28
| | | | | | | | | | | | | | | | Fix two invalid attribute accesses, indices start at 1 with the new netlink API. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: sch_netem: use nla_parse_nested_compatPatrick McHardy2008-01-28
| | | | | | | | | | | | | | Replace open coded equivalent of nla_parse_nested_compat(). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: sch_atm: fix format string warningPatrick McHardy2008-01-28
| | | | | | | | | | | | | | | | | | Fix format string warning introduces by the netlink API conversion: net/sched/sch_atm.c:250: warning: format '%lu' expects type 'long unsigned int', but argument 3 has type 'int'. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace for ICMP replying code.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | | | | | All needed API is done, the namespace is available when required from the device on the DST entry from the incoming packet. So, just replace init_net with proper namespace. Other protocols will follow. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Routing cache virtualization.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | | | | | | | Basically, this piece looks relatively easy. Namespace is already available on the dst entry via device and the device is safe to dereferrence. Compare it with one of a searcher and skip entry if appropriate. The only exception is ip_rt_frag_needed. So, add namespace parameter to it. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Correct namespace for connect-time routing.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | ip_route_connect and ip_route_newports are a part of routing API presented to the socket layer. The namespace is available inside them through a socket. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Convert actions from rtnetlink to new netlink APIPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Convert classifiers from rtnetlink to new netlink APIPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Convert packet schedulers from rtnetlink to new netlink APIPatrick McHardy2008-01-28
| | | | | | | | | | | | | | | | | | | | | | Convert packet schedulers to use the netlink API. Unfortunately a gradual conversion is not possible without breaking compilation in the middle or adding lots of casts, so this patch converts them all in one step. The patch has been mostly generated automatically with some minor edits to at least allow seperate conversion of classifiers and actions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETLINK]: Add nla_append()Patrick McHardy2008-01-28
| | | | | | | | | | | | | | Used to append data to a message without a header or padding. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: mark classifier ops __read_mostlyPatrick McHardy2008-01-28
| | | | | | | | | | | | | | Additionally remove unnecessary NULL initilizations of the next pointer. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: Move EXPORT_SYMBOL next to exported symbolPatrick McHardy2008-01-28
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace parameter to ip_route_output_key.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | Needed to propagate it down to the ip_route_output_flow. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace parameter to ip_route_output_flow.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | Needed to propagate it down to the __ip_route_output_key. Signed_off_by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace parameter to __ip_route_output_key.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | This is only required to propagate it down to the ip_route_output_slow. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace parameter to ip_route_output_slow.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | This function needs a net namespace to lookup devices, fib tables, etc. in, so pass it there. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add namespace parameter to ip_dev_find.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | in_dev_find() need a namespace to pass it to fib_get_table(), so add an argument. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETNS]: Add netns parameter to fib_select_default.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | Currently fib_select_default calls fib_get_table() with the init_net. Prepare it to provide a correct namespace to lookup default route. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4]: Consolidate fib_select_default.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | The difference in the implementation of the fib_select_default when CONFIG_IP_MULTIPLE_TABLES is (not) defined looks negligible. Consolidate it and place into fib_frontend.c. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4]: Declarations cleanup in ip_fib.h.Denis V. Lunev2008-01-28
| | | | | | | | | | | | | | | | | | | | Two small issues fixed: - fib_select_multipath is exported from fib_semantics.c rather than from fib_frontend.c. So, move the declaration below appropriate comment. - struct rt_entry declaration is not used. Drop it. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV4] fib_trie: avoid rescan on dumpStephen Hemminger2008-01-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This converts dumping (and flushing) of large route tables form O(N^2) to O(N). If the route dump took multiple pages then the dump routine gets called again. The old code kept track of location by counter, the new code instead uses the last key. This is a really big win ( 0.3 sec vs 12 sec) for big route tables. One side effect is that if the table changes during the dump, then the last key will not be found, and we will return -EBUSY. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>