On Dec 21 2007 14:35, Greg KH wrote:
>> >> >I guess it could be, but the input for /proc/sys/vm/mmap_min_addr is
>> >> >base 10 as well
>> >>
>> >> sysfs is autobase, i.e. echo "0xb000" >/sys/foo will Do The Right Thing.
>> >
>> >yes but if you cat /proc/sys/vm/mmap_min_addr, it returns in base
On Fri, Dec 21, 2007 at 11:04:19PM +0100, Jan Engelhardt wrote:
>
> On Dec 21 2007 22:16, Willy Tarreau wrote:
> >Hi Jan,
> >
> >> >> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
> >> >> >+int "Low address space to protect from user allocation"
> >> >>
> >> >> Hm, should not this be 'hex'?
> >
On Fri, Dec 21, 2007 at 10:10:24PM +0100, Jan Engelhardt wrote:
>
> On Dec 21 2007 15:31, Eric Paris wrote:
> >On Thu, 2007-12-20 at 00:29 +0100, Jan Engelhardt wrote:
> >> On Dec 19 2007 16:59, Eric Paris wrote:
> >> >
> >> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
> >> >+int "Low address s
On Dec 21 2007 22:16, Willy Tarreau wrote:
>Hi Jan,
>
>> >> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
>> >> >+int "Low address space to protect from user allocation"
>> >>
>> >> Hm, should not this be 'hex'?
>> >
>> >I guess it could be, but the input for /proc/sys/vm/mmap_min_addr is
>> >b
Hi Jan,
On Fri, Dec 21, 2007 at 10:10:24PM +0100, Jan Engelhardt wrote:
>
> On Dec 21 2007 15:31, Eric Paris wrote:
> >On Thu, 2007-12-20 at 00:29 +0100, Jan Engelhardt wrote:
> >> On Dec 19 2007 16:59, Eric Paris wrote:
> >> >
> >> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
> >> >+int "Low
On Dec 21 2007 15:31, Eric Paris wrote:
>On Thu, 2007-12-20 at 00:29 +0100, Jan Engelhardt wrote:
>> On Dec 19 2007 16:59, Eric Paris wrote:
>> >
>> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
>> >+int "Low address space to protect from user allocation"
>>
>> Hm, should not this be 'hex'?
>
>
On Thu, 2007-12-20 at 00:29 +0100, Jan Engelhardt wrote:
> On Dec 19 2007 16:59, Eric Paris wrote:
> >
> >+config SECURITY_DEFAULT_MMAP_MIN_ADDR
> >+int "Low address space to protect from user allocation"
>
> Hm, should not this be 'hex'?
I guess it could be, but the input for /proc/sys/
On Friday 21 December 2007 12:36:15 pm Stephen Smalley wrote:
> On Fri, 2007-12-21 at 12:09 -0500, Paul Moore wrote:
> > Add additional Flask definitions to support the new "peer" object class
> > and additional permissions to the netif and node object classes.
> >
> > Signed-off-by: Paul Moore <[E
On Fri, 2007-12-21 at 12:09 -0500, Paul Moore wrote:
> Add additional Flask definitions to support the new "peer" object class and
> additional permissions to the netif and node object classes.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Not an obstacle to merging, but need to get this res
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer
This patch adds a SELinux IP address/node SID caching mechanism similar to the
sel_netif_*() functions. The node SID queries in the SELinux hooks files are
also modified to take advantage of this new functionality. In addition, remove
the address length information from the sk_buff parsing routin
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system. Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.
Special tha
This patch adds auditing support to the NetLabel static labeling mechanism.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/linux/audit.h |2
net/netlabel/netlabel_unlabeled.c | 207 ++---
2 files changed, 195 insertions(+), 14 deletion
The current SELinux netif code requires the caller have a valid net_device
struct pointer to lookup network interface information. However, we don't
always have a valid net_device pointer so convert the netif code to use
the ifindex values we always have as part of the sk_buff. This patch also
re
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/Kconfig|2 -
security/selinux/include/se
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
Signed-off-by:
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and w
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore <[EMAIL PROTE
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif and node object classes.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |5 +
security/selinux/include/av_permissions.h|
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetL
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
Signed-off-by: Pa
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
-
Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide packet level
access control for all outbound packets. Using the existing postroute_last
netfilter hook turns out to be problematic as it is can be invoked multiple
times for a single packet, e.g. individual IPsec transforms, adding unw
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
---
include/linux/security.h | 13 +
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
Signed-off-by:
One more revision before the end of the year, backed against 2.6.24-rc6
or rather Linus' linux-2.6 tree from an hour ago. The changes this time are
pretty minor: some IPv6 address tweaks and the object class/permission changes
already discussed on the SELinux list.
I've also update the git tree a
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default entry
28 matches
Mail list logo
