Extra bits for separation of task_struct - task_security to make allyesconfig
compile for i386 and x86_64. This will be rolled into patch 06 of 12.
From: David Howells [EMAIL PROTECTED]
---
drivers/connector/cn_proc.c |8
drivers/media/video/cpia.c |2 +-
drivers/net/tun.c
Make NFSD work with detached security, using the patches that excise the
security information from task_struct to struct task_security as a base.
Each time NFSD wants a new security descriptor (to do NFS4 recovery or just to
do NFS operations), a task_security record is derived from NFSD's
On Thu, Jan 17, 2008 at 05:17:20PM +, David Howells wrote:
Make NFSD work with detached security, using the patches that excise the
security information from task_struct to struct task_security as a base.
Each time NFSD wants a new security descriptor (to do NFS4 recovery or just to
do
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system. Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.
Special
This patch adds auditing support to the NetLabel static labeling mechanism.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/audit.h |2
net/netlabel/netlabel_unlabeled.c | 207 ++---
2 files changed, 195 insertions(+), 14
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it
Add additional Flask definitions to support the new peer object class and
additional permissions to the netif, node, and packet object classes. Also,
bring the kernel Flask definitions up to date with the Fedora SELinux policies
by adding the flow_in and flow_out permissions to the packet class.
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore [EMAIL
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
Signed-off-by:
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
static or fallback labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
This patch removes some unneeded RCU read locks as we can treat the reads as
safe even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
The latest update to the labeled networking changes for 2.6.25.
This revision of the patchset finalizes the packet ingress/egress controls
using the existing netfilter forwarding and postrouting hooks while
adding SECMARK controls for forwarded traffic as discussed on the SELinux list.
This
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem. This patch adds
warning messages so that when these events occur there is a user visible
notification.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
David Howells [EMAIL PROTECTED] wrote:
J. Bruce Fields [EMAIL PROTECTED] wrote:
Just curious--why? Are get_kernel_security(), etc., particularly
expensive?
It involves a kmalloc(). That means an extra possibility for an error. Plus
it may allow you to cache the result of checking
17 matches
Mail list logo