aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2006-06-19
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (109 commits) [ETHTOOL]: Fix UFO typo [SCTP]: Fix persistent slowdown in sctp when a gap ack consumes rx buffer. [SCTP]: Send only 1 window update SACK per message. [SCTP]: Don't do CRC32C checksum over loopback. [SCTP] Reset rtt_in_progress for the chunk when processing its sack. [SCTP]: Reject sctp packets with broadcast addresses. [SCTP]: Limit association max_retrans setting in setsockopt. [PFKEYV2]: Fix inconsistent typing in struct sadb_x_kmprivate. [IPV6]: Sum real space for RTAs. [IRDA]: Use put_unaligned() in irlmp_do_discovery(). [BRIDGE]: Add support for NETIF_F_HW_CSUM devices [NET]: Add NETIF_F_GEN_CSUM and NETIF_F_ALL_CSUM [TG3]: Convert to non-LLTX [TG3]: Remove unnecessary tx_lock [TCP]: Add tcp_slow_start_after_idle sysctl. [BNX2]: Update version and reldate [BNX2]: Use CPU native page size [BNX2]: Use compressed firmware [BNX2]: Add firmware decompression [BNX2]: Allow WoL settings on new 5708 chips ... Manual fixup for conflict in drivers/net/tulip/winbond-840.c
| * [ETHTOOL]: Fix UFO typoHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | The function ethtool_get_ufo was referring to ETHTOOL_GTSO instead of ETHTOOL_GUFO. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP]: Fix persistent slowdown in sctp when a gap ack consumes rx buffer.Neil Horman2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the event that our entire receive buffer is full with a series of chunks that represent a single gap-ack, and then we accept a chunk (or chunks) that fill in the gap between the ctsn and the first gap, we renege chunks from the end of the buffer, which effectively does nothing but move our gap to the end of our received tsn stream. This does little but move our missing tsns down stream a little, and, if the sender is sending sufficiently large retransmit frames, the result is a perpetual slowdown which can never be recovered from, since the only chunk that can be accepted to allow progress in the tsn stream necessitates that a new gap be created to make room for it. This leads to a constant need for retransmits, and subsequent receiver stalls. The fix I've come up with is to deliver the frame without reneging if we have a full receive buffer and the receiving sockets sk_receive_queue is empty(indicating that the receive buffer is being blocked by a missing tsn). Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP]: Send only 1 window update SACK per message.Tsutomu Fujii2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | Right now, every time we increase our rwnd by more then MTU bytes, we trigger a SACK. When processing large messages, this will generate a SACK for almost every other SCTP fragment. However since we are freeing the entire message at the same time, we might as well collapse the SACK generation to 1. Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP]: Don't do CRC32C checksum over loopback.Sridhar Samudrala2006-06-18
| | | | | | | | | | Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP] Reset rtt_in_progress for the chunk when processing its sack.Vlad Yasevich2006-06-18
| | | | | | | | | | | | Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP]: Reject sctp packets with broadcast addresses.Vlad Yasevich2006-06-18
| | | | | | | | | | | | Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SCTP]: Limit association max_retrans setting in setsockopt.Vlad Yasevich2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When using ASSOCINFO socket option, we need to limit the number of maximum association retransmissions to be no greater than the sum of all the path retransmissions. This is specified in Section 7.1.2 of the SCTP socket API draft. However, we only do this if the association has multiple paths. If there is only one path, the protocol stack will use the assoc_max_retrans setting when trying to retransmit packets. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [PFKEYV2]: Fix inconsistent typing in struct sadb_x_kmprivate.Tushar Gohad2006-06-18
| | | | | | | | | | Signed-off-by: Tushar Gohad <tgohad@mvista.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV6]: Sum real space for RTAs.YOSHIFUJI Hideaki2006-06-18
| | | | | | | | | | | | | | | | | | This patch fixes RTNLGRP_IPV6_IFINFO netlink notifications. Issue pointed out by Patrick McHardy <kaber@trash.net>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IRDA]: Use put_unaligned() in irlmp_do_discovery().David S. Miller2006-06-18
| | | | | | | | | | | | | | | | | | irda_device_info->hints[] is byte aligned but is being accessed as a u16 Based upon a patch by Luke Yang <luke.adi@gmail.com>. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BRIDGE]: Add support for NETIF_F_HW_CSUM devicesHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | As it is the bridge will only ever declare NETIF_F_IP_CSUM even if all its constituent devices support NETIF_F_HW_CSUM. This patch fixes this by supporting the first one out of NETIF_F_NO_CSUM, NETIF_F_HW_CSUM, and NETIF_F_IP_CSUM that is supported by all constituent devices. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Add NETIF_F_GEN_CSUM and NETIF_F_ALL_CSUMHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | The current stack treats NETIF_F_HW_CSUM and NETIF_F_NO_CSUM identically so we test for them in quite a few places. For the sake of brevity, I'm adding the macro NETIF_F_GEN_CSUM for these two. We also test the disjunct of NETIF_F_IP_CSUM and the other two in various places, for that purpose I've added NETIF_F_ALL_CSUM. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TG3]: Convert to non-LLTXMichael Chan2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Herbert Xu pointed out that it is unsafe to call netif_tx_disable() from LLTX drivers because it uses dev->xmit_lock to synchronize whereas LLTX drivers use private locks. Convert tg3 to non-LLTX to fix this issue. tg3 is a lockless driver where hard_start_xmit and tx completion handling can run concurrently under normal conditions. A tx_lock is only needed to prevent netif_stop_queue and netif_wake_queue race condtions when the queue is full. So whether we use LLTX or non-LLTX, it makes practically no difference. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TG3]: Remove unnecessary tx_lockMichael Chan2006-06-18
| | | | | | | | | | | | | | | | | | | | Remove tx_lock where it is unnecessary. tg3 runs lockless and so it requires interrupts to be disabled and sync'ed, netif_queue and NAPI poll to be stopped before the device can be reconfigured. After stopping everything, it is no longer necessary to get the tx_lock. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP]: Add tcp_slow_start_after_idle sysctl.David S. Miller2006-06-18
| | | | | | | | | | | | | | A lot of people have asked for a way to disable tcp_cwnd_restart(), and it seems reasonable to add a sysctl to do that. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Update version and reldateMichael Chan2006-06-18
| | | | | | | | | | | | | | Update driver version to 1.4.42. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Use CPU native page sizeMichael Chan2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | Use CPU native page size to determine various ring sizes. This allows order-0 memory allocations on all systems. Added check to limit the page size to 16K since that's the maximum rx ring size that will be used. This will prevent using unnecessarily large page sizes on some architectures with large page sizes. [Suggested by David Miller] Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Use compressed firmwareMichael Chan2006-06-18
| | | | | | | | | | | | | | Change bnx2_fw.h to use compressed text for all CPU images. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Add firmware decompressionMichael Chan2006-06-18
| | | | | | | | | | | | | | | | | | | | | | Add functions to decompress firmware before loading to the internal CPUs. Compressing the firmware reduces the driver size significantly. Added file name length sanity check in the gzip header to prevent going past the end of buffer [suggested by DaveM]. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Allow WoL settings on new 5708 chipsMichael Chan2006-06-18
| | | | | | | | | | | | | | | | Allow WOL settings on 5708 B2 and newer chips that have the problem fixed. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Add an rx drop counterMichael Chan2006-06-18
| | | | | | | | | | | | | | Add a counter for packets dropped by firmware. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP] Westwood: reset RTT min after FRTOLuca De Cicco2006-06-18
| | | | | | | | | | | | | | | | | | RTT_min is updated each time a timeout event occurs in order to cope with hard handovers in wireless scenarios such as UMTS. Signed-off-by: Luca De Cicco <ldecicco@gmail.com> Signed-off-by: Stephen Hemminger <shemminger@dxpl.pdx.osdl.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP] Westwood: bandwidth filter startupLuca De Cicco2006-06-18
| | | | | | | | | | | | | | | | | | | | The bandwidth estimate filter is now initialized with the first sample in order to have better performances in the case of small file transfers. Signed-off-by: Luca De Cicco <ldecicco@gmail.com> Signed-off-by: Stephen Hemminger <shemminger@dxpl.pdx.osdl.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP] Westwood: comment fixesLuca De Cicco2006-06-18
| | | | | | | | | | | | | | | | Cleanup some comments and add more references Signed-off-by: Luca De Cicco <ldecicco@gmail.com> Signed-off-by: Stephen Hemminger <shemminger@dxpl.pdx.osdl.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [TCP] Westwood: fix first sampleStephen Hemminger2006-06-18
| | | | | | | | | | | | | | | | Need to update send sequence number tracking after first ack. Rework of patch from Luca De Cicco. Signed-off-by: Stephen Hemminger <shemminger@dxpl.pdx.osdl.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: net.ipv4.ip_autoconfig sysctl removalStephen Hemminger2006-06-18
| | | | | | | | | | | | | | The sysctl net.ipv4.ip_autoconfig is a legacy value that is not used. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Endian fixes.Alexey Dobriyan2006-06-18
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IRDA]: irda-usb.c: STIR421x cleanupsNick Fedchik2006-06-18
| | | | | | | | | | | | | | | | | | | | This cleans the STIR421x part of the irda-usb code. We also no longer try to load all existing firmwares but only the matching one (according to the USB id we get from the dongle). Signed-off-by: Nick Fedchik <nfedchik@atlantic-link.com.ua> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPX]: Endian bug in ipxrtr_route_packet()Alexey Dobriyan2006-06-18
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Warn in __skb_trim if skb is pagedHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | It's better to warn and fail rather than rarely triggering BUG on paths that incorrectly call skb_trim/__skb_trim on a non-linear skb. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: skb_trim auditHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | I found a few more spots where pskb_trim_rcsum could be used but were not. This patch changes them to use it. Also, sk_filter can get paged skb data. Therefore we must use pskb_trim instead of skb_trim. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET] ppp: Remove unnecessary pskb_may_pullHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | In ppp_receive_nonmp_frame, we call pskb_may_pull(skb, skb->len) if the tailroom is >= 124. This is pointless because this pskb_may_pull is only needed if the skb is non-linear. However, if it is non-linear then the tailroom would be zero. So it can be safely removed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Clean up skb_linearizeHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The linearisation operation doesn't need to be super-optimised. So we can replace __skb_linearize with __pskb_pull_tail which does the same thing but is more general. Also, most users of skb_linearize end up testing whether the skb is linear or not so it helps to make skb_linearize do just that. Some callers of skb_linearize also use it to copy cloned data, so it's useful to have a new function skb_linearize_cow to copy the data if it's either non-linear or cloned. Last but not least, I've removed the gfp argument since nobody uses it anymore. If it's ever needed we can easily add it back. Misc bugs fixed by this patch: * via-velocity error handling (also, no SG => no frags) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Add netif_tx_lockHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Various drivers use xmit_lock internally to synchronise with their transmission routines. They do so without setting xmit_lock_owner. This is fine as long as netpoll is not in use. With netpoll it is possible for deadlocks to occur if xmit_lock_owner isn't set. This is because if a printk occurs while xmit_lock is held and xmit_lock_owner is not set can cause netpoll to attempt to take xmit_lock recursively. While it is possible to resolve this by getting netpoll to use trylock, it is suboptimal because netpoll's sole objective is to maximise the chance of getting the printk out on the wire. So delaying or dropping the message is to be avoided as much as possible. So the only alternative is to always set xmit_lock_owner. The following patch does this by introducing the netif_tx_lock family of functions that take care of setting/unsetting xmit_lock_owner. I renamed xmit_lock to _xmit_lock to indicate that it should not be used directly. I didn't provide irq versions of the netif_tx_lock functions since xmit_lock is meant to be a BH-disabling lock. This is pretty much a straight text substitution except for a small bug fix in winbond. It currently uses netif_stop_queue/spin_unlock_wait to stop transmission. This is unsafe as an IRQ can potentially wake up the queue. So it is safer to use netif_tx_disable. The hamradio bits used spin_lock_irq but it is unnecessary as xmit_lock must never be taken in an IRQ handler. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: hashlimit match: fix random initializationPatrick McHardy2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | hashlimit does: if (!ht->rnd) get_random_bytes(&ht->rnd, 4); ignoring that 0 is also a valid random number. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: recent match: missing refcnt initializationPatrick McHardy2006-06-18
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: recent match: fix "sleeping function called from invalid context"Patrick McHardy2006-06-18
| | | | | | | | | | | | | | | | create_proc_entry must not be called with locks held. Use a mutex instead to protect data only changed in user context. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add new packet controls to SELinuxJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add new per-packet access controls to SELinux, replacing the old packet controls. Packets are labeled with the iptables SECMARK and CONNSECMARK targets, then security policy for the packets is enforced with these controls. To allow for a smooth transition to the new controls, the old code is still present, but not active by default. To restore previous behavior, the old controls may be activated at runtime by writing a '1' to /selinux/compat_net, and also via the kernel boot parameter selinux_compat_net. Switching between the network control models requires the security load_policy permission. The old controls will probably eventually be removed and any continued use is discouraged. With this patch, the new secmark controls for SElinux are disabled by default, so existing behavior is entirely preserved, and the user is not affected at all. It also provides a config option to enable the secmark controls by default (which can always be overridden at boot and runtime). It is also noted in the kconfig help that the user will need updated userspace if enabling secmark controls for SELinux and that they'll probably need the SECMARK and CONNMARK targets, and conntrack protocol helpers, although such decisions are beyond the scope of kernel configuration. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add CONNSECMARK xtables targetJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new xtables target, CONNSECMARK, which is used to specify rules for copying security marks from packets to connections, and for copyying security marks back from connections to packets. This is similar to the CONNMARK target, but is more limited in scope in that it only allows copying of security marks to and from packets, as this is all it needs to do. A typical scenario would be to apply a security mark to a 'new' packet with SECMARK, then copy that to its conntrack via CONNMARK, and then restore the security mark from the connection to established and related packets on that connection. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add secmark support to conntrackJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | Add a secmark field to IP and NF conntracks, so that security markings on packets can be copied to their associated connections, and also copied back to packets as required. This is similar to the network mark field currently used with conntrack, although it is intended for enforcement of security policy rather than network policy. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add xtables SECMARK targetJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | Add a SECMARK target to xtables, allowing the admin to apply security marks to packets via both iptables and ip6tables. The target currently handles SELinux security marking, but can be extended for other purposes as needed. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add secmark support to core networking.James Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add SELinux exportsJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | Add and export new functions to the in-kernel SELinux API in support of the new secmark-based packet controls. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SECMARK]: Add new flask definitions to SELinuxJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Secmark implements a new scheme for adding security markings to packets via iptables, as well as changes to SELinux to use these markings for security policy enforcement. The rationale for this scheme is explained and discussed in detail in the original threads: http://thread.gmane.org/gmane.linux.network/34927/ http://thread.gmane.org/gmane.linux.network/35244/ Examples of policy and rulesets, as well as a full archive of patches for iptables and SELinux userland, may be found at: http://people.redhat.com/jmorris/selinux/secmark/ The code has been tested with various compilation options and in several scenarios, including with 'complicated' protocols such as FTP and also with the new generic conntrack code with IPv6 connection tracking. This patch: Add support for a new object class ('packet'), and associated permissions ('send', 'recv', 'relabelto'). These are used to enforce security policy for network packets labeled with SECMARK, and for adding labeling rules. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [SELINUX]: add security class for appletalk socketsChristopher J. PeBenito2006-06-18
| | | | | | | | | | | | | | | | | | | | Add a security class for appletalk sockets so that they can be distinguished in SELinux policy. Please apply. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Fix warnings after LSM-IPSEC changes.David S. Miller2006-06-18
| | | | | | | | | | | | | | | | | | | | Assignment used as truth value in xfrm_del_sa() and xfrm_get_policy(). Wrong argument type declared for security_xfrm_state_delete() when SELINUX is disabled. Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: NET_TCPPROBE Kconfig fixDave Jones2006-06-18
| | | | | | | | | | | | | | | | Just spotted this typo in a new option. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [LSM-IPsec]: SELinux AuthorizeCatherine Zhang2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch contains a fix for the previous patch that adds security contexts to IPsec policies and security associations. In the previous patch, no authorization (besides the check for write permissions to SAD and SPD) is required to delete IPsec policies and security assocations with security contexts. Thus a user authorized to change SAD and SPD can bypass the IPsec policy authorization by simply deleteing policies with security contexts. To fix this security hole, an additional authorization check is added for removing security policies and security associations with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). SELinux changes: The new policy_delete and state_delete functions are added. Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com> Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [CONNECTOR]: Fix warning in cn_queue.cAndreas Schwab2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cn_queue.c:130: warning: value computed is not used There is no point in testing the atomic value if the result is thrown away. From Evgeniy: It was created to put implicit smp barrier, but it is not needed there. Signed-off-by: Andreas Schwab <schwab@suse.de> Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>