On Mon, 2015-12-21 at 22:44 +0100, Luis R. Rodriguez wrote:
>
> Eventually, once we generalize a common read perhaps we should stuff this
> into VFS common code and provide arguments to enable callers to provide
> restrictions or requirements. Let's work together on that after the holidays.
>
>
CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
the equivalent CISPO code. The main difference is due to manipulating
the options in the hop-by-hop header.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +
include/net/netlabel.h | 9 +
inclu
Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label. This is used
for the outgoing SYN-ACK and for their child full-socket.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6
net/ipv6/calipso.c |
We check lengths, checksum and the DOI. We leave checking of the
level and categories for the socket layer.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 ++
net/ipv6/calipso.c| 43 +++
net/ipv6/exthdrs.c| 27 +++
This fixes sparse errors of the form:
netlabel_domainhash.c:126:23: error: incompatible types in comparison
expression (different address spaces)
This patch also removes unnecessary initialization of static variables
to NULL.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c |
Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 1 +
net/ipv6/calipso.c | 48 +
net/netlabel/netlabel_calipso.c | 92 +++
CALIPSO is a packet labelling protocol for IPv6 which is very similar
to CIPSO. It is specified in RFC 5570. Much of the code is based on
the current CIPSO code.
This adds support for adding passthrough-type CALIPSO DOIs through the
NLBL_CALIPSO_C_ADD command. It requires attributes:
NLBL_CAL
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 2 +-
net/netlabel/netlab
Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
The reply will contain:
NLBL_CALIPSO_A_MTYPE
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 68 +++
This patch series implements RFC 5570 - Common Architecture Label IPv6
Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
on IPv6 packets using a hop-by-hop option. CALIPSO very similar to
its IPv4 cousin CIPSO and much of this series is based on that code.
Most of this series
The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory
The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.
Signed-off-by: Huw Davies
---
inclu
If set, these will that precedence over the parent's options during
both sending and child creation. If they're not set, the parent's
options (if any) will be used.
This is to allow the security_inet_conn_request() hook to modify the
IPv6 options in just the same way that it already may do for IP
This is to allow the CALIPSO labelling engine to use these.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv4/cipso_ipv4.c| 88 +---
net/netlabel/netlabel_kapi.c | 70 +++
3 files changed,
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +-
include/net/net
If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option. This is in the same spirit as
the existing check for IPv4.
Signed-off-by: Huw Davies
---
security/selinux/netlabel.c | 17 -
1 file changed, 16 insertions(+), 1 deletion(-)
This works in exactly the same way as the CIPSO label cache.
The idea is to allow the lsm to cache the result of a secattr
lookup so that it doesn't need to perform the lookup for
every skbuff.
It introduces two sysctl controls:
calipso_cache_enable - enables/disables the cache.
calipso_cache_bu
The reason is to allow different labelling protocols for
different address families with the same domain.
This requires the addition of an address family attribute
in the netlink communication protocol. It is used in several
messages:
NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF take it as an optional
This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 40 +--
net/netlabel/netlabel_domainhash.h | 1 +
net/netlabel/netlabel_mgmt.c | 48
Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 41
net/netlabel/netlabel_calipso.c | 106 +++
On Mon, Dec 21, 2015 at 12:59:59PM -0800, Tadeusz Struk wrote:
>
> The previous patch was broken, re-sending again, sorry.
>
> I think there is something missing in this configuration.
> cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives nothing.
> Anyways, this patch should fix it.
No this is un
On 22.12.2015 12:46, Huw Davies wrote:
> The functionality is equivalent to ipv6_renew_options() except
> that the newopt pointer is in kernel, not user, memory
>
> The kernel memory implementation will be used by the CALIPSO network
> labelling engine, which needs to be able to set IPv6 hop-by-ho
On 22.12.2015 12:46, Huw Davies wrote:
> tot_len += sizeof(*opt2);
> - opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC);
> + if (sk)
> + opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC);
> + else
> + opt2 = kmalloc(tot_len, GFP_ATOMIC);
> if (!opt2)
>
On 22.12.2015 12:46, Huw Davies wrote:
>
> +/* CALIPSO RFC 5570 */
> +
> +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> +{
> + const unsigned char *nh = skb_network_header(skb);
> +
> + if (nh[optoff + 1] < 8)
> + goto drop;
> +
> + if (nh[optoff + 6] * 4
Commit "IMA: policy can now be updated multiple times" assumed that the
policy would be updated at least once.
If there are zero updates, the temporary list head object will get added
to the policy list, and later dereferenced as an IMA policy object, which
means that invalid memory will be access
Hi Herbert
On 12/22/2015 04:09 AM, Herbert Xu wrote:
> On Mon, Dec 21, 2015 at 12:59:59PM -0800, Tadeusz Struk wrote:
>>
>> The previous patch was broken, re-sending again, sorry.
>>
>> I think there is something missing in this configuration.
>> cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives no
On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 12:46, Huw Davies wrote:
> >
> > +/* CALIPSO RFC 5570 */
> > +
> > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> > +{
> > + const unsigned char *nh = skb_network_header(skb);
> > +
> > + i
On 12/22/2015 3:46 AM, Huw Davies wrote:
> This patch series implements RFC 5570 - Common Architecture Label IPv6
> Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
> on IPv6 packets using a hop-by-hop option. CALIPSO very similar to
> its IPv4 cousin CIPSO and much of this se
On Tue, Dec 22, 2015 at 09:28:37AM -0800, Casey Schaufler wrote:
> On 12/22/2015 3:46 AM, Huw Davies wrote:
> > This patch series implements RFC 5570 - Common Architecture Label IPv6
> > Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
> > on IPv6 packets using a hop-by-hop opt
On Tue, 2015-12-22 at 08:51 -0500, Sasha Levin wrote:
> Commit "IMA: policy can now be updated multiple times" assumed that the
> policy would be updated at least once.
>
> If there are zero updates, the temporary list head object will get added
> to the policy list, and later dereferenced as an I
The following changes since commit ebd68df3f24b318d391d15c458d6f43f340ba36a:
Sync to Linus v4.4-rc2 for LSM developers. (2015-11-23 22:46:28 +1100)
are available in the git repository at:
https://github.com/cschaufler/smack-next.git smack-for-4.5
for you to fetch changes up to 81bd0d56298f9
On December 22, 2015 9:56:28 PM GMT+02:00, Mimi Zohar
wrote:
>On Tue, 2015-12-22 at 08:51 -0500, Sasha Levin wrote:
>> Commit "IMA: policy can now be updated multiple times" assumed that
>the
>> policy would be updated at least once.
>>
>> If there are zero updates, the temporary list head objec
On 22.12.2015 17:59, Huw Davies wrote:
> On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
>> On 22.12.2015 12:46, Huw Davies wrote:
>>>
>>> +/* CALIPSO RFC 5570 */
>>> +
>>> +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
>>> +{
>>> + const unsigned char *nh
On 12/22/2015 04:40 PM, Petko Manolov wrote:
>> Thanks, Sasha. By the time ima_update_policy() is called
>> >ima_release_policy() has already output the policy update status
>> >message. I guess an empty policy could be considered a valid policy.
>> >Could you add a msg indicating that the new po
On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 17:59, Huw Davies wrote:
> > I'm confused about this one. AFAICS, this will drop packets that we
> > can't process. We don't send the icmp error, but I can certainly add
> > that. Is that what you mean?
>
> Ac
On Tue, Dec 22, 2015 at 06:23:59AM -0800, Tadeusz Struk wrote:
>
> What about the first two. This one is completely unrelated.
> It only supposed to fix some random configuration issue
> reported by a build robot, which isn't really important now.
> The other two convert the module verifier to the
On 12/22/2015 06:33 PM, Herbert Xu wrote:
>> What about the first two. This one is completely unrelated.
>> > It only supposed to fix some random configuration issue
>> > reported by a build robot, which isn't really important now.
>> > The other two convert the module verifier to the new API.
> No
This patch set converts the module verification and digital signature
code to the new akcipher API.
RSA implementation has been removed from crypto/asymmetric_keys and the
new API is used for cryptographic primitives.
There is no need for MPI above the akcipher API anymore.
Modules can be verified
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/Kconfig |1 +
security/integrity/digsig_asymmetric.c | 10 +++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kc
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trus
39 matches
Mail list logo