[PATCH 1/1] LSM-IPsec SELinux Authorize
Hi, After discussion with Stephen Smalley and James Morris, we decided to change the SELinux authorization from relabel to testing for a security operation (set_ipsec). That is, a process must have the authority to set IPsec security contexts in order to create or delete IPsec policy or SA entries with security contexts. The proposed patch has a couple of minor issues that would need to be resolved: (1) only pass to LSM when context is set? (2) task_for_security becomes a non-static? Patch is made against mm tree. The point of the post is to discuss patch changes prior to upstream to Andrew Morton. I will be traveling tomorrow and in less than optimal contact until Sun, so please bear with that. Happy holidays to all! Regards, Trent. - This patch changes the authorization semantics for adding security contexts to IPsec policies. Instead of requiring relabeling permissions to add a security context to an IPsec policy, we require a security management permission (new: set_ipsec) to either add IPsec policies with security contexts or remove IPsec policies with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). Note that the line that adds a free to xfrm_add_policy addresses a memory leak. The security context must be freed when the insertion fails also. SELinux changes: The sec_ctx_alloc function is changed to authorize the task for set_ipsec. The new policy_delete and state_delete functions are added. The function task_has_security is copied from selinuxfs.c. Do we have a problem making this non-static? If so, I will do that. Signed-off-by: Trent Jaeger <[EMAIL PROTECTED]> --- include/linux/security.h | 40 +-- net/key/af_key.c |5 + net/xfrm/xfrm_user.c |7 ++ security/dummy.c | 12 security/selinux/hooks.c |2 security/selinux/include/av_perm_to_string.h |3 - security/selinux/include/av_permissions.h|3 - security/selinux/include/xfrm.h |2 security/selinux/xfrm.c | 68 +++ 9 files changed, 114 insertions(+), 28 deletions(-) diff -puN include/linux/security.h~lsm-labels-nethooks include/linux/security.h --- linux-2.6.15-rc5/include/linux/security.h~lsm-labels-nethooks 2005-12-26 11:27:00.0 -0500 +++ linux-2.6.15-rc5-root/include/linux/security.h 2005-12-26 11:29:43.0 -0500 @@ -805,31 +805,37 @@ struct swap_info_struct; * used by the XFRM system. * @sec_ctx contains the security context information being provided by * the user-level policy update program (e.g., setkey). - * Allocate a security structure to the xp->selector.security field. + * Allocate a security structure to the xp->security field. * The security field is initialized to NULL when the xfrm_policy is * allocated. * Return 0 if operation was successful (memory to allocate, legal context) * @xfrm_policy_clone_security: * @old contains an existing xfrm_policy in the SPD. * @new contains a new xfrm_policy being cloned from old. - * Allocate a security structure to the new->selector.security field - * that contains the information from the old->selector.security field. + * Allocate a security structure to the new->security field + * that contains the information from the old->security field. * Return 0 if operation was successful (memory to allocate). * @xfrm_policy_free_security: * @xp contains the xfrm_policy - * Deallocate xp->selector.security. + * Deallocate xp->security. + * @xfrm_policy_delete_security: + * @xp contains the xfrm_policy + * Authorize deletion of xp->security. * @xfrm_state_alloc_security: * @x contains the xfrm_state being added to the Security Association * Database by the XFRM system. * @sec_ctx contains the security context information being provided by * the user-level SA generation program (e.g., setkey or racoon). - *
fix wrong comments in ieee80211.h
The comments in ieee80211.h claim that one doesn't need to set the len
parameter of the stats struct. But if one doesn't, the management frames
are read far over the memory they actually occupy causing badness.
Signed-Off-By: Johannes Berg <[EMAIL PROTECTED]>
--- linux-2.6.15-rc7-rc15.ieee80211-orig/include/net/ieee80211.h
2005-12-26 11:59:47.821895000 +0100
+++ linux-2.6.15-rc7-rc15/include/net/ieee80211.h 2005-12-27
02:07:31.026688000 +0100
@@ -363,8 +363,9 @@
#define IEEE80211_OFDM_SHIFT_MASK_A 4
/* NOTE: This data is for statistical purposes; not all hardware provides this
- * information for frames received. Not setting these will not cause
- * any adverse affects. */
+ * information for frames received.
+ * For ieee80211_rx_mgt, you need to set at least the 'len' parameter.
+ */
struct ieee80211_rx_stats {
u32 mac_time;
s8 rssi;
@@ -1088,6 +1089,7 @@
/* ieee80211_rx.c */
extern int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
struct ieee80211_rx_stats *rx_stats);
+/* make sure to set stats->len */
extern void ieee80211_rx_mgt(struct ieee80211_device *ieee,
struct ieee80211_hdr_4addr *header,
struct ieee80211_rx_stats *stats);
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ipv4 duplicate rules
From: "Gabor Fekete" <[EMAIL PROTECTED]> Date: Tue, 29 Nov 2005 13:18:28 -0800 > I realized that in fib_rules.c the inet_rtm_new_rule() > function adds rules without checking if they already > exist. This may result in duplicate rules being added. > It makes it difficult to remove a rule when it is > added multiple times (with the intention that it would > be added only once if it exists, setting the necessary > netlink flags). > The attached patch tries to fix this. Sorry for attaching > but my email client screws tabs. > It is against 2.6.11 but it is the case with 2.6.14.3 too, > as I see. > > Signed-off-by: Gabor Fekete <[EMAIL PROTECTED]> I can see what you're doing here, but I'm not so sure this plays well with the preference field. The preference field is meant to act the same way a firewall chain does. You can have identical rules in the chain, and the preference determines which one gets actually hit. But the exclusive flag in the netlink message indicates that we should disallow multiple rules with the same key. I'm inclined to apply this patch, but does anyone have any strong opinions either way? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2][INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h
Hi David, Please consider pulling from: master.kernel.org:/pub/scm/linux/kernel/git/acme/net-2.6.16.git These changesets were compile tested with allyesconfig, allmodconfig and simple qemu configurations. - Arnaldo tree d0a039881ddd44da08b952e12495db7f91a28055 parent 3d876a7abafca15cc5c572f3a394fae9f1a325c5 author Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> 1135657857 -0200 committer Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> 1135657857 -0200 [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h To help in reducing the number of include dependencies, several files were touched as they were getting needed headers indirectly for stuff they use. Thanks also to Alan Menegotto for pointing out that net/dccp/proto.c had linux/dccp.h include twice. Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> -- drivers/infiniband/ulp/ipoib/ipoib_main.c |2 drivers/infiniband/ulp/ipoib/ipoib_multicast.c |2 drivers/net/ns83820.c |1 drivers/net/sk98lin/skge.c |1 drivers/net/skge.c |1 drivers/net/sundance.c |6 drivers/net/tg3.c |1 fs/9p/trans_sock.c |1 fs/nfs/callback.c |3 include/linux/dccp.h |3 include/linux/ip.h | 126 include/linux/ipv6.h |7 include/linux/udp.h|6 include/net/atmclip.h |2 include/net/dst.h |1 include/net/icmp.h |9 - include/net/ieee80211_crypt.h |9 + include/net/inet_connection_sock.h |3 include/net/inet_ecn.h |2 include/net/inet_hashtables.h | 21 -- include/net/inet_sock.h| 193 + include/net/inet_timewait_sock.h |2 include/net/ip.h | 17 +- include/net/ip_fib.h |2 include/net/ip_vs.h| 12 - include/net/ipv6.h |3 include/net/ndisc.h| 17 +- include/net/neighbour.h|2 include/net/pkt_act.h |1 include/net/raw.h |2 include/net/udp.h |4 include/net/xfrm.h |3 net/bridge/br_netfilter.c |4 net/bridge/netfilter/ebt_log.c |1 net/core/netpoll.c |1 net/dccp/ccid.h|2 net/dccp/ipv4.c|1 net/dccp/ipv6.c|1 net/dccp/output.c |1 net/dccp/proto.c |3 net/econet/af_econet.c |1 net/ipv4/af_inet.c |1 net/ipv4/ah4.c |1 net/ipv4/arp.c |1 net/ipv4/devinet.c |1 net/ipv4/esp4.c|1 net/ipv4/fib_frontend.c|1 net/ipv4/fib_hash.c|1 net/ipv4/fib_rules.c |1 net/ipv4/fib_semantics.c |2 net/ipv4/icmp.c|1 net/ipv4/igmp.c|2 net/ipv4/ip_input.c|1 net/ipv4/ip_options.c |1 net/ipv4/ip_sockglue.c |1 net/ipv4/ipcomp.c |1 net/ipv4/ipconfig.c|2 net/ipv4/ipmr.c|1 net/ipv4/ipvs/ip_vs_conn.c |2 net/ipv4/ipvs/ip_vs_ctl.c |1 net/ipv4/ipvs/ip_vs_dh.c |2 net/ipv4/ipvs/ip_vs_est.c |3 net/ipv4/ipvs/ip_vs_lblc.c |2 net/ipv4/ipvs/ip_vs_lblcr.c|2 net/ipv4/ipvs/ip_vs_proto_ah.c |2 net/ipv4/ipvs/ip_vs_proto_esp.c|2 net/ipv4/ipvs/ip_vs_proto_udp.c|3 net/ipv4/ipvs/ip_vs_sh.c |2 net/ipv4/ipvs/ip_vs_sync.c |2 net/ipv4/netfilter/ip_conntrack_amanda.c |2 net/ipv4/netfilter/ip_conntrack_proto_gre.c|1 net/ipv4/netfilter/ip_conntrack_pro
[PATCH 1/2][SOCK]: Introduce sk_receive_skb
Hi David,
Please consider pulling from:
master.kernel.org:/pub/scm/linux/kernel/git/acme/net-2.6.16.git
These changesets were compile tested with allyesconfig,
allmodconfig and simple qemu configurations.
- Arnaldo
tree e099badea7f181e08cd427f9b04f3f57dc3068a5
parent 6fcae8357f524da8287ecaffb5075524e1c2a263
author Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> 1135616087 -0200
committer Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> 1135616087 -0200
[SOCK]: Introduce sk_receive_skb
Its common enough to to justify that, TCP still can't use it as it has the
prequeueing stuff, still to be made generic in the not so distant future :-)
Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]>
--
drivers/net/pppoe.c| 22 ++
include/net/sock.h | 23 +++
net/dccp/ipv4.c| 23 ++-
net/dccp/ipv6.c| 17 +
net/decnet/dn_nsp_in.c | 17 +
5 files changed, 29 insertions(+), 73 deletions(-)
--
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index a842ecc..71e303b 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -383,8 +383,6 @@ static int pppoe_rcv(struct sk_buff *skb
{
struct pppoe_hdr *ph;
struct pppox_sock *po;
- struct sock *sk;
- int ret;
if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
goto drop;
@@ -395,24 +393,8 @@ static int pppoe_rcv(struct sk_buff *skb
ph = (struct pppoe_hdr *) skb->nh.raw;
po = get_item((unsigned long) ph->sid, eth_hdr(skb)->h_source);
- if (!po)
- goto drop;
-
- sk = sk_pppox(po);
- bh_lock_sock(sk);
-
- /* Socket state is unknown, must put skb into backlog. */
- if (sock_owned_by_user(sk) != 0) {
- sk_add_backlog(sk, skb);
- ret = NET_RX_SUCCESS;
- } else {
- ret = pppoe_rcv_core(sk, skb);
- }
-
- bh_unlock_sock(sk);
- sock_put(sk);
-
- return ret;
+ if (po != NULL)
+ return sk_receive_skb(sk_pppox(po), skb);
drop:
kfree_skb(skb);
out:
diff --git a/include/net/sock.h b/include/net/sock.h
index 91d2895..6961700 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -926,6 +926,29 @@ static inline void sock_put(struct sock
sk_free(sk);
}
+static inline int sk_receive_skb(struct sock *sk, struct sk_buff *skb)
+{
+ int rc = NET_RX_SUCCESS;
+
+ if (sk_filter(sk, skb, 0))
+ goto discard_and_relse;
+
+ skb->dev = NULL;
+
+ bh_lock_sock(sk);
+ if (!sock_owned_by_user(sk))
+ rc = sk->sk_backlog_rcv(sk, skb);
+ else
+ sk_add_backlog(sk, skb);
+ bh_unlock_sock(sk);
+out:
+ sock_put(sk);
+ return rc;
+discard_and_relse:
+ kfree_skb(skb);
+ goto out;
+}
+
/* Detach socket from process context.
* Announce socket dead, detach it from wait queue and inode.
* Note that parent inode held reference count on this struct sock,
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index c363051..99e8afa 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -914,7 +914,6 @@ int dccp_v4_rcv(struct sk_buff *skb)
{
const struct dccp_hdr *dh;
struct sock *sk;
- int rc;
/* Step 1: Check header basics: */
@@ -984,28 +983,10 @@ int dccp_v4_rcv(struct sk_buff *skb)
goto do_time_wait;
}
- if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
- dccp_pr_debug("xfrm4_policy_check failed\n");
+ if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
- }
-
-if (sk_filter(sk, skb, 0)) {
- dccp_pr_debug("sk_filter failed\n");
-goto discard_and_relse;
- }
- skb->dev = NULL;
-
- bh_lock_sock(sk);
- rc = 0;
- if (!sock_owned_by_user(sk))
- rc = dccp_v4_do_rcv(sk, skb);
- else
- sk_add_backlog(sk, skb);
- bh_unlock_sock(sk);
-
- sock_put(sk);
- return rc;
+ return sk_receive_skb(sk, skb);
no_dccp_socket:
if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 599b0be..2e194c8 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1032,7 +1032,6 @@ static int dccp_v6_rcv(struct sk_buff **
const struct dccp_hdr *dh;
struct sk_buff *skb = *pskb;
struct sock *sk;
- int rc;
/* Step 1: Check header basics: */
@@ -1077,21 +1076,7 @@ static int dccp_v6_rcv(struct sk_buff **
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
- if (sk_filter(sk, skb, 0))
- goto discard_and_relse;
-
- skb->dev = NULL;
-
- bh_lock_sock(sk);
- rc = 0;
- if (!sock_owned_by_user(sk))
- rc = dccp_v6_do_rcv(sk, skb);
- else
- sk_add_backlog(sk, skb);
- bh_unlock_sock(sk);
-
- sock_put(sk);
- return rc ? -1 : 0;
+ return sk_receive_skb(sk, skb) ? -1 : 0;
no_dccp_socket:
if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
diff --git a/net/decnet/dn_nsp_in.c b/net/decnet/dn_nsp_in.c
index 369f25b..44bda85 100644
--- a/net/decnet/dn_nsp_in.c
+++ b/net/decnet/dn_nsp_in.c
@@ -793,7 +793,6 @@ static int dn_nsp_rx_packet(struct sk_bu
Re: [PATCH 1/2][SOCK]: Introduce sk_receive_skb
From: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> Date: Tue, 27 Dec 2005 02:35:40 -0200 >Please consider pulling from: > > master.kernel.org:/pub/scm/linux/kernel/git/acme/net-2.6.16.git > >These changesets were compile tested with allyesconfig, > allmodconfig and simple qemu configurations. Pulled, thanks Arnaldo. About prequeue, you can probably make it a proto_op and then do something like: if (ops->prequeue && ops->prequeue( ... )) ...; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2][INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h
From: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> Date: Tue, 27 Dec 2005 02:38:39 -0200 > oops, commited a mistake and shipped a sundance.c driver patch in this > lot, resending in a jiffie... Ok, let me know when the tree is fixed. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2][INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h
In article <[EMAIL PROTECTED]> (at Tue, 27 Dec 2005 02:35:52 -0200), Arnaldo
Carvalho de Melo <[EMAIL PROTECTED]> says:
> diff --git a/drivers/net/sundance.c b/drivers/net/sundance.c
> index 0ab9c38..8cdeb5c 100644
> --- a/drivers/net/sundance.c
> +++ b/drivers/net/sundance.c
> @@ -633,9 +633,13 @@ static int __devinit sundance_probe1 (st
>
> np->phys[0] = 1;/* Default setting */
> np->mii_preamble_required++;
> + /*
> + * It seems some phys doesn't deal well with address 0 being accessed
> + * first, so leave address zero to the end of the loop (32 & 31).
> + */
> for (phy = 1; phy <= 32 && phy_idx < MII_CNT; phy++) {
> - int mii_status = mdio_read(dev, phy, MII_BMSR);
> int phyx = phy & 0x1f;
> + int mii_status = mdio_read(dev, phyx, MII_BMSR);
> if (mii_status != 0x && mii_status != 0x) {
> np->phys[phy_idx++] = phyx;
> np->mii_if.advertising = mdio_read(dev, phyx,
> MII_ADVERTISE);
Difference changeset, maybe?
--yoshfuji
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
