1. 27 Jun, 2016 3 commits
    • Huw Davies's avatar
      netlabel: Add support for creating a CALIPSO protocol domain mapping. · dc7de73f
      Huw Davies authored
      This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
      to accept CALIPSO protocol DOIs.
      Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    • Huw Davies's avatar
      netlabel: Initial support for the CALIPSO netlink protocol. · cb72d382
      Huw Davies authored
      CALIPSO is a packet labelling protocol for IPv6 which is very similar
      to CIPSO.  It is specified in RFC 5570.  Much of the code is based on
      the current CIPSO code.
      This adds support for adding passthrough-type CALIPSO DOIs through the
      NLBL_CALIPSO_C_ADD command.  It requires attributes:
      In passthrough mode the CALIPSO engine will map MLS secattr levels
      and categories directly to the packet label.
      At this stage, the major difference between this and the CIPSO
      code is that IPv6 may be compiled as a module.  To allow for
      this the CALIPSO functions are registered at module init time.
      Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    • Huw Davies's avatar
      netlabel: Add an address family to domain hash entries. · 8f18e675
      Huw Davies authored
      The reason is to allow different labelling protocols for
      different address families with the same domain.
      This requires the addition of an address family attribute
      in the netlink communication protocol.  It is used in several
      NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF take it as an optional
      attribute for the unlabelled protocol.  It may be one of AF_INET,
      AF_INET6 or AF_UNSPEC (to specify both address families).  If it
      is missing, it defaults to AF_UNSPEC.
      NLBL_MGMT_C_LISTALL and NLBL_MGMT_C_LISTDEF return it as part of
      the enumeration of each item.  Addtionally, it may be sent to
      LISTDEF to specify which address family to return.
      Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
  2. 31 Mar, 2015 1 commit
  3. 04 Feb, 2015 2 commits
  4. 18 Jan, 2015 1 commit
    • Johannes Berg's avatar
      netlink: make nlmsg_end() and genlmsg_end() void · 053c095a
      Johannes Berg authored
      Contrary to common expectations for an "int" return, these functions
      return only a positive value -- if used correctly they cannot even
      return 0 because the message header will necessarily be in the skb.
      This makes the very common pattern of
        if (genlmsg_end(...) < 0) { ... }
      be a whole bunch of dead code. Many places also simply do
        return nlmsg_end(...);
      and the caller is expected to deal with it.
      This also commonly (at least for me) causes errors, because it is very
      common to write
        if (my_function(...))
          /* error condition */
      and if my_function() does "return nlmsg_end()" this is of course wrong.
      Additionally, there's not a single place in the kernel that actually
      needs the message length returned, and if anyone needs it later then
      it'll be very easy to just use skb->len there.
      Remove this, and make the functions void. This removes a bunch of dead
      code as described above. The patch adds lines because I did
      -	return nlmsg_end(...);
      +	nlmsg_end(...);
      +	return 0;
      I could have preserved all the function's return values by returning
      skb->len, but instead I've audited all the places calling the affected
      functions and found that none cared. A few places actually compared
      the return value with <= 0 in dump functionality, but that could just
      be changed to < 0 with no change in behaviour, so I opted for the more
      efficient version.
      One instance of the error I've made numerous times now is also present
      in net/phonet/pn_netlink.c in the route_dumpit() function - it didn't
      check for <0 or <=0 and thus broke out of the loop every single time.
      I've preserved this since it will (I think) have caused the messages to
      userspace to be formatted differently with just a single message for
      every SKB returned to userspace. It's possible that this isn't needed
      for the tools that actually use this, but I don't even know what they
      are so couldn't test that changing this behaviour would be acceptable.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  5. 06 Dec, 2013 1 commit
  6. 19 Nov, 2013 1 commit
  7. 14 Nov, 2013 1 commit
  8. 02 Aug, 2013 1 commit
    • Paul Moore's avatar
      netlabel: use domain based selectors when address based selectors are not available · 6a8b7f0c
      Paul Moore authored
      NetLabel has the ability to selectively assign network security labels
      to outbound traffic based on either the LSM's "domain" (different for
      each LSM), the network destination, or a combination of both.  Depending
      on the type of traffic, local or forwarded, and the type of traffic
      selector, domain or address based, different hooks are used to label the
      traffic; the goal being minimal overhead.
      Unfortunately, there is a bug such that a system using NetLabel domain
      based traffic selectors does not correctly label outbound local traffic
      that is not assigned to a socket.  The issue is that in these cases
      the associated NetLabel hook only looks at the address based selectors
      and not the domain based selectors.  This patch corrects this by
      checking both the domain and address based selectors so that the correct
      labeling is applied, regardless of the configuration type.
      In order to acomplish this fix, this patch also simplifies some of the
      NetLabel domainhash structures to use a more common outbound traffic
      mapping type: struct netlbl_dommap_def.  This simplifies some of the code
      in this patch and paves the way for further simplifications in the
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  9. 10 Sep, 2012 1 commit
  10. 11 Dec, 2011 1 commit
  11. 22 Nov, 2011 1 commit
  12. 02 Aug, 2011 2 commits
  13. 26 Jul, 2011 1 commit
  14. 31 Mar, 2011 1 commit
  15. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      The script does the followings.
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
      The conversion was done in the following steps.
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
      6. percpu.h was updated not to include slab.h.
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
  16. 21 May, 2009 1 commit
  17. 22 Nov, 2008 1 commit
  18. 29 Oct, 2008 1 commit
  19. 10 Oct, 2008 2 commits
    • Paul Moore's avatar
      netlabel: Add network address selectors to the NetLabel/LSM domain mapping · 63c41688
      Paul Moore authored
      This patch extends the NetLabel traffic labeling capabilities to individual
      packets based not only on the LSM domain but the by the destination address
      as well.  The changes here only affect the core NetLabel infrastructre,
      changes to the NetLabel KAPI and individial protocol engines are also
      required but are split out into a different patch to ease review.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
    • Paul Moore's avatar
      netlabel: Replace protocol/NetLabel linking with refrerence counts · b1edeb10
      Paul Moore authored
      NetLabel has always had a list of backpointers in the CIPSO DOI definition
      structure which pointed to the NetLabel LSM domain mapping structures which
      referenced the CIPSO DOI struct.  The rationale for this was that when an
      administrator removed a CIPSO DOI from the system all of the associated
      NetLabel LSM domain mappings should be removed as well; a list of
      backpointers made this a simple operation.
      Unfortunately, while the backpointers did make the removal easier they were
      a bit of a mess from an implementation point of view which was making
      further development difficult.  Since the removal of a CIPSO DOI is a
      realtively rare event it seems to make sense to remove this backpointer
      list as the optimization was hurting us more then it was helping.  However,
      we still need to be able to track when a CIPSO DOI definition is being used
      so replace the backpointer list with a reference count.  In order to
      preserve the current functionality of removing the associated LSM domain
      mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
      removing the relevant entries.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
  20. 10 Jul, 2008 1 commit
  21. 18 Feb, 2008 2 commits
  22. 29 Jan, 2008 1 commit
  23. 20 Dec, 2007 1 commit
  24. 26 Oct, 2007 1 commit
  25. 19 Jul, 2007 1 commit
    • Paul Moore's avatar
      SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement · 23bcdc1a
      Paul Moore authored
      Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
      current runtime status of NetLabel based on the existing configuration.  LSMs
      that make use of NetLabel, i.e. SELinux, can use this new function to determine
      if they should perform NetLabel access checks.  This patch changes the
      NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
      access checks when netlbl_enabled() returns true.
      At present NetLabel is considered to be enabled when there is at least one
      labeled protocol configuration present.  The result is that by default NetLabel
      is considered to be disabled, however, as soon as an administrator configured
      a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
      NetLabel related access controls - including unlabeled packet controls.
      This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
      blocks into a single block to ease future review as recommended by Linus.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  26. 07 Jun, 2007 1 commit
  27. 03 Dec, 2006 3 commits
  28. 30 Sep, 2006 1 commit
  29. 29 Sep, 2006 1 commit
  30. 25 Sep, 2006 1 commit
  31. 22 Sep, 2006 1 commit
    • Paul Moore's avatar
      [NetLabel]: core NetLabel subsystem · d15c345f
      Paul Moore authored
      Add a new kernel subsystem, NetLabel, to provide explicit packet
      labeling services (CIPSO, RIPSO, etc.) to LSM developers.  NetLabel is
      designed to work in conjunction with a LSM to intercept and decode
      security labels on incoming network packets as well as ensure that
      outgoing network packets are labeled according to the security
      mechanism employed by the LSM.  The NetLabel subsystem is configured
      through a Generic NETLINK interface described in the header files
      included in this patch.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>