Re: RFC(v2): Audit Kernel Container IDs

[Eric Paris]

On Sat, 2017-12-09 at 10:28 -0800, Casey Schaufler wrote:
> On 12/9/2017 2:20 AM, Micka�l Sala�n wrote:

> >  What about automatically create
> > and assign an ID to a process when it enters a namespace different
> > than
> > one of its parent process? This delegates the (permission)
> > responsibility to the use of namespaces (e.g. /proc/sys/user/max_*
> > limit).
> 
> That gets ugly when you have a container that uses user, filesystem,
> network and whatever else namespaces. If all containers used the same
> set of namespaces I think this would be a fine idea, but they don't.
> 
> > One interesting side effect of this approach would be to be able to
> > identify which processes are in the same set of namespaces, even if
> > not
> > spawn from the container but entered after its creation (i.e. using
> > setns), by creating container IDs as a (deterministic) checksum
> > from the
> > /proc/self/ns/* IDs.
> > 
> > Since the concern is to identify a container, I think the ability
> > to
> > audit the switch from one container ID to another is enough. I
> > don't
> > think we need nested IDs.
> 
> Because a container doesn't have to use namespaces to be a container
> you still need a mechanism for a process to declare that it is in
> fact
> in a container, and to identify the container.

I like the idea but I'm still tossing it around in my head (and
thinking about Casey's statement too). Lets say we have a 'docker-like' 
container with pid=100  netns=X,userns=Y,mountns=Z. If I'm on the host
in all init namespaces and I run
  nsenter -t 100 -n ip link set eth0 promisc on
How should this be logged? Did this command run in it's own 'container'
unrelated to the 'docker-like' container?

-Eric

Re: [PATCH V2] audit: log 32-bit socketcalls

[Eric Paris]

On Fri, 2017-01-13 at 10:06 -0500, Richard Guy Briggs wrote:
> On 2017-01-13 09:42, Eric Paris wrote:
> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:


> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 9d4443f..43d8003 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -387,6 +387,18 @@ static inline int audit_socketcall(int
> > > nargs,
> > > unsigned long *args)
> > >   return __audit_socketcall(nargs, args);
> > >   return 0;
> > >  }
> > > +static inline int audit_socketcall_compat(int nargs, u32 *args)
> > > +{
> > > + if (unlikely(!audit_dummy_context())) {
> > 
> > I've always hated these likely/unlikely. Mostly because I think
> > they
> > are so often wrong. I believe this says that you compiled audit in
> > but
> > you expect it to be explicitly disabled. While that is (recently)
> > true
> > in Fedora I highly doubt that's true on the vast majority of
> > systems
> > that have audit compiled in.
> 
> It has been argued that audit should have pretty much no performance
> impact if it is not in use and that if it is, we're willing to take
> the
> more significant overhead of the rest of the code for the sake of one
> test to determine whether or not to follow this code path.

Ok, I can buy that argument. Not sure its where I would have settled,
but it does make sense. I'll obviously defer to Paul on what he wants
out of style. I always assume the compiler is brilliant and write
stupid code but your logic is sound there too.

You can/should pretend I said nothing.

Re: [PATCH V2] audit: log 32-bit socketcalls

[Eric Paris]

On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> 32-bit socketcalls were not being logged by audit on x86_64 systems.
> Log them.  This is basically a duplicate of the call from
> net/socket.c:sys_socketcall(), but it addresses the impedance
> mismatch
> between 32-bit userspace process and 64-bit kernel audit.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/14
> 
> Signed-off-by: Richard Guy Briggs 
> 
> --
> v2:
>    Move work to audit_socketcall_compat() and use
> audit_dummy_context().
> ---
>  include/linux/audit.h |   16 
>  net/compat.c  |   15 +--
>  2 files changed, 29 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 9d4443f..43d8003 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -387,6 +387,18 @@ static inline int audit_socketcall(int nargs,
> unsigned long *args)
>   return __audit_socketcall(nargs, args);
>   return 0;
>  }
> +static inline int audit_socketcall_compat(int nargs, u32 *args)
> +{
> + if (unlikely(!audit_dummy_context())) {

I've always hated these likely/unlikely. Mostly because I think they
are so often wrong. I believe this says that you compiled audit in but
you expect it to be explicitly disabled. While that is (recently) true
in Fedora I highly doubt that's true on the vast majority of systems
that have audit compiled in.

I think all of the likely/unlikely need to just be abandoned, but at
least don't add more? It certainly wouldn't be the first time I was
wrong, and I haven't profiled it. But the function would definitely
look better if coded

static inline int audit_socketcall_compat(int nargs, u32 *args)
{
if (audit_cummy_context()) {
return 0
}
int i;
unsigned long a[AUDITSC_ARGS];

[...]
}

> + int i;
> + unsigned long a[AUDITSC_ARGS];
> +
> + for (i=0; i + a[i] = (unsigned long)args[i];
> + return __audit_socketcall(nargs, a);
> + }
> + return 0;
> +}
>  static inline int audit_sockaddr(int len, void *addr)
>  {
>   if (unlikely(!audit_dummy_context()))
> @@ -513,6 +525,10 @@ static inline int audit_socketcall(int nargs,
> unsigned long *args)
>  {
>   return 0;
>  }
> +static inline int audit_socketcall_compat(int nargs, u32 *args)
> +{
> + return 0;
> +}
>  static inline void audit_fd_pair(int fd1, int fd2)
>  { }
>  static inline int audit_sockaddr(int len, void *addr)
> diff --git a/net/compat.c b/net/compat.c
> index 1cd2ec0..f0404d4 100644
> --- a/net/compat.c
> +++ b/net/compat.c
> @@ -22,6 +22,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  
>  #include 
> @@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd,
> struct compat_mmsghdr __user *, mmsg,
>  
>  COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
>  {
> + unsigned int len;
>   int ret;
> - u32 a[6];
> + u32 a[AUDITSC_ARGS];
>   u32 a0, a1;
>  
>   if (call < SYS_SOCKET || call > SYS_SENDMMSG)
>   return -EINVAL;
> - if (copy_from_user(a, args, nas[call]))
> + len = nas[call];
> + if (len > sizeof(a))
> + return -EINVAL;
> +
> + if (copy_from_user(a, args, len))
>   return -EFAULT;
> +
> + ret = audit_socketcall_compat(len/sizeof(a[0]), a);
> + if (ret)
> + return ret;
> +
>   a0 = a[0];
>   a1 = a[1];
>  

Re: [PATCH] XFRM: RFC4303 compliant auditing

[Eric Paris]

On Fri, 2007-12-07 at 14:57 -0500, Paul Moore wrote:
 NOTE: This really is an RFC patch, it compiles and boots but that is pretty
   much all I can promise at this point.  I'm posting this patch to gather
   feedback from the audit crowd about the continued overloading of
   the AUDIT_MAC_IPSEC_EVENT message type - continue to use it or create
   a new audit message type?  Of course any other comments people may have
   are always welcome.

I'm all for continuing to use it, but I feel like the op= strings should
probably all get collected up in one place to ease maintenance in the
future, might not matter but it's nice to be able to look only on place
in the code to find all of the possible op=

The one advantage to multiple messages is the ability to exclude and not
audit certain things.  How often will these extra messages actually pop
out of a system?  Enough that people would likely still care about some
of them but decide they don't want others?  I don't know this stuff, so
tell me how often would any of these show up?

-Eric

 
 This patch adds a number of new IPsec audit events to meet the auditing
 requirements of RFC4303.  This includes audit hooks for the following events:
 
  * Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()
 
  * Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()
 
  * Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()
 
  * Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()
 
 While RFC4304 deals only with ESP most of the changes in this patch apply to
 IPsec in general, i.e. both AH and ESP.  The one case, integrity check
 failure, where ESP specific code had to be modified the same was done to the
 AH code for the sake of consistency.
 ---
 
  include/net/xfrm.h |   14 
  net/ipv4/ah4.c |1 
  net/ipv4/esp4.c|1 
  net/ipv4/xfrm4_input.c |6 +-
  net/ipv6/ah6.c |1 
  net/ipv6/esp6.c|1 
  net/ipv6/xfrm6_input.c |   10 ++-
  net/xfrm/xfrm_output.c |2 +
  net/xfrm/xfrm_state.c  |  155 
 ++--
  9 files changed, 177 insertions(+), 14 deletions(-)
 
 diff --git a/include/net/xfrm.h b/include/net/xfrm.h
 index c02e230..85ce8c1 100644
 --- a/include/net/xfrm.h
 +++ b/include/net/xfrm.h
 @@ -492,11 +492,22 @@ extern void xfrm_audit_state_add(struct xfrm_state *x, 
 int result,
u32 auid, u32 secid);
  extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
   u32 auid, u32 secid);
 +extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 +  struct sk_buff *skb);
 +extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 
 family);
 +extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 +   __be32 net_spi, __be32 net_seq);
 +extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 +  struct sk_buff *skb, u8 proto);
  #else
  #define xfrm_audit_policy_add(x, r, a, s)do { ; } while (0)
  #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
  #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
  #define xfrm_audit_state_delete(x, r, a, s)  do { ; } while (0)
 +#define xfrm_audit_state_replay_overflow(x, s)   do { ; } while (0)
 +#define xfrm_audit_state_notfound_simple(s, f)   do { ; } while (0)
 +#define xfrm_audit_state_notfound(s, f, sp, sq)  do { ; } while (0)
 +#define xfrm_audit_state_icvfail(x, s, p)do { ; } while (0)
  #endif /* CONFIG_AUDITSYSCALL */
  
  static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 @@ -1045,7 +1056,8 @@ extern int xfrm_state_delete(struct xfrm_state *x);
  extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
  extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
  extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
 -extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
 +extern int xfrm_replay_check(struct xfrm_state *x,
 +  struct sk_buff *skb, __be32 seq);
  extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
  extern void xfrm_replay_notify(struct xfrm_state *x, int event);
  extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
 diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
 index 5fc346d..8eb19c9 100644
 --- a/net/ipv4/ah4.c
 +++ b/net/ipv4/ah4.c
 @@ -180,6 +180,7 @@ static int ah_input(struct xfrm_state *x, struct sk_buff 
 *skb)
   err = -EINVAL;
   if (memcmp(ahp-work_icv, auth_data, ahp-icv_trunc_len)) {
   x-stats.integrity_failed++;
 + xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
   goto out;
   }
   }
 diff --git 

Re: [PATCH] XFRM: assorted IPsec fixups

[Eric Paris]

On Fri, 2007-12-07 at 12:11 -0500, Paul Moore wrote:
 This patch fixes a number of small but potentially troublesome things in the
 XFRM/IPsec code:
 
  * Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction
 
  * Convert 'sid' to 'secid'
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels
 
  * Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also
includes the removal of some unnecessary memcpy() calls
 
  * Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the less is more book on software development
 
  * Convert the SPI in audit records to host byte order
The current SPI values in the audit record are being displayed in
network byte order, probably not what was intended
 
  * Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
 
 Signed-off-by: Paul Moore [EMAIL PROTECTED]

Acked-by: Eric Paris [EMAIL PROTECTED]

although it does make me wonder why audit_log_start doesn't just check
audit_enabled itself   Anyway, this patch looks good.

 ---
 
  include/linux/xfrm.h|2 +
  include/net/xfrm.h  |   18 ++--
  net/xfrm/xfrm_policy.c  |   15 +-
  net/xfrm/xfrm_state.c   |   69 
 +--
  security/selinux/xfrm.c |   20 +++---
  5 files changed, 58 insertions(+), 66 deletions(-)
 
 diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
 index b58adc5..f75a337 100644
 --- a/include/linux/xfrm.h
 +++ b/include/linux/xfrm.h
 @@ -31,7 +31,7 @@ struct xfrm_sec_ctx {
   __u8ctx_doi;
   __u8ctx_alg;
   __u16   ctx_len;
 - __u32   ctx_sid;
 + __u32   ctx_secid;
   charctx_str[0];
  };
  
 diff --git a/include/net/xfrm.h b/include/net/xfrm.h
 index 58dfa82..c02e230 100644
 --- a/include/net/xfrm.h
 +++ b/include/net/xfrm.h
 @@ -462,7 +462,7 @@ struct xfrm_audit
  };
  
  #ifdef CONFIG_AUDITSYSCALL
 -static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
 +static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid)
  {
   struct audit_buffer *audit_buf = NULL;
   char *secctx;
 @@ -475,8 +475,8 @@ static inline struct audit_buffer *xfrm_audit_start(u32 
 auid, u32 sid)
  
   audit_log_format(audit_buf, auid=%u, auid);
  
 - if (sid != 0 
 - security_secid_to_secctx(sid, secctx, secctx_len) == 0) {
 + if (secid != 0 
 + security_secid_to_secctx(secid, secctx, secctx_len) == 0) {
   audit_log_format(audit_buf,  subj=%s, secctx);
   security_release_secctx(secctx, secctx_len);
   } else
 @@ -485,13 +485,13 @@ static inline struct audit_buffer *xfrm_audit_start(u32 
 auid, u32 sid)
  }
  
  extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 -   u32 auid, u32 sid);
 +   u32 auid, u32 secid);
  extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 -   u32 auid, u32 sid);
 +   u32 auid, u32 secid);
  extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 -  u32 auid, u32 sid);
 +  u32 auid, u32 secid);
  extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 - u32 auid, u32 sid);
 + u32 auid, u32 secid);
  #else
  #define xfrm_audit_policy_add(x, r, a, s)do { ; } while (0)
  #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
 @@ -621,13 +621,13 @@ extern int xfrm_selector_match(struct xfrm_selector 
 *sel, struct flowi *fl,
  
  #ifdef CONFIG_SECURITY_NETWORK_XFRM
  /*   If neither has a context -- match
 - *   Otherwise, both must have a context and the sids, doi, alg must match
 + *   Otherwise, both must have a context and the secids, doi, alg must match
   */
  static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct 
 xfrm_sec_ctx *s2)
  {
   return ((!s1  !s2) ||
   (s1  s2 
 -  (s1-ctx_sid == s2-ctx_sid) 
 +  (s1-ctx_secid == s2-ctx_secid) 
(s1-ctx_doi == s2-ctx_doi) 
(s1-ctx_alg == s2-ctx_alg)));
  }
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
 index b702bd8..75f25c4 100644
 --- a/net/xfrm/xfrm_policy.c
 +++ b/net/xfrm/xfrm_policy.c
 @@ -23,6 +23,7 @@
  #include linux/netfilter.h
  #include linux/module.h
  #include linux/cache.h
 +#include linux/audit.h
  #include net/xfrm.h
  #include net/ip.h
  
 @@ -2150,15 +2151,14 @@ static inline void 
 xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
   }
  }
  
 -void
 -xfrm_audit_policy_add(struct

Re: [PATCH]: Add security check before flushing SAD/SPD

[Eric Paris]

Some time ago this thread bounced back and forth and seemed to come to
rest with the patch below, I cleaned up the comments and put all the
ACKs it received in one place below, but so much time has passed I doubt
if they should still count for free.  I also rediffed the patch against
the latest miller tree.  Is the idea or patch in any way flawed or
unacceptable to people at the moment?

Anyone willing to step up an re-ack the patch to get it moving into the
tree?

-Eric

Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

WAS Signed-off-by: Signed-off-by: Joy Latten[EMAIL PROTECTED] NOT NOW
WAS Acked-by: James Morris [EMAIL PROTECTED] NOT NOW
WAS Acked-by: Eric Paris [EMAIL PROTECTED] NOT NOW

---

 include/net/xfrm.h |6 ++--
 net/key/af_key.c   |   10 ++-
 net/xfrm/xfrm_policy.c |   63 +--
 net/xfrm/xfrm_state.c  |   46 --
 net/xfrm/xfrm_user.c   |9 +-
 5 files changed, 121 insertions(+), 13 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 90185e8..311f25a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -964,7 +964,7 @@ struct xfrmk_spdinfo {
 
 extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
 extern int xfrm_state_delete(struct xfrm_state *x);
-extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
+extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
 extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
 extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
 extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
@@ -1020,13 +1020,13 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int 
dir,
  struct xfrm_sec_ctx *ctx, int delete,
  int *err);
 struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int 
*err);
-void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
+int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
 u32 xfrm_get_acqseq(void);
 void xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi);
 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
  xfrm_address_t *daddr, xfrm_address_t *saddr,
  int create, unsigned short family);
-extern void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
+extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy 
*pol);
 extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
  struct flowi *fl, int family, int strict);
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d302dda..0f8304b 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1682,6 +1682,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *hd
unsigned proto;
struct km_event c;
struct xfrm_audit audit_info;
+   int err;
 
proto = pfkey_satype2proto(hdr-sadb_msg_satype);
if (proto == 0)
@@ -1689,7 +1690,9 @@ static int pfkey_flush(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *hd
 
audit_info.loginuid = audit_get_loginuid(current-audit_context);
audit_info.secid = 0;
-   xfrm_state_flush(proto, audit_info);
+   err = xfrm_state_flush(proto, audit_info);
+   if (err)
+   return err;
c.data.proto = proto;
c.seq = hdr-sadb_msg_seq;
c.pid = hdr-sadb_msg_pid;
@@ -2683,10 +2686,13 @@ static int pfkey_spdflush(struct sock *sk, struct 
sk_buff *skb, struct sadb_msg
 {
struct km_event c;
struct xfrm_audit audit_info;
+   int err;
 
audit_info.loginuid = audit_get_loginuid(current-audit_context);
audit_info.secid = 0;
-   xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, audit_info);
+   err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, audit_info);
+   if (err)
+   return err;
c.data.type = XFRM_POLICY_TYPE_MAIN;
c.event = XFRM_MSG_FLUSHPOLICY;
c.pid = hdr-sadb_msg_pid;
diff --git a/net

Re: LSPP kernels (was Re: [PATCH]: SAD sometimes has double SAs).

[Eric Paris]

On Wed, 2007-03-28 at 12:20 -0400, James Morris wrote:
 On Wed, 28 Mar 2007, Joy Latten wrote:
 
  Eric, sorry as I know you already patched lspp kernel
  for testing.
 
 I think it'd be better to have the lspp kernel join the upstream workflow 
 process, rather than being a shortcut into RHEL.
 
 Please consider creating an lspp git tree (based off Linus' tree), then 
 once patches there are tested and ready to submit upstream, post them here 
 or selinux-list, where they can be reviewed and applied to either my or 
 DaveM's git tree.
 
 From there, they'll be picked up in -mm for even wider testing then be 
 merged into mainline as appropriate.  Then, they can be incorporated into 
 distro devel kernels when they update their kernels, or backported to 
 stable distro kernels as already reviewed  tested upstream patches.
 
 If there are any objections, please respond.

It is definitely NOT a shortcut into RHEL.  Nor is this government cert
effort (LSPP) being driven primary on RHEL code.  Not a single patch
will go into RHEL until it is upstream or in a tree to go upstream.
That is a given.  All development is being done upstream and then being
ported back to RHEL.  The LSPP kernel she mentioned is at this time
merely a testing ground for patches which may not quite be upstream
ready or are upstream but aren't in RHEL proper yet.  As it stands now
the LSPP kernel is carrying 22 patches on top of RHEL 5 GA (which is
2.6.18 based)  of those let me give you a breakdown.

12 are network related.
10 of those are in Linus's kernel
1 is not yet in miller's tree but i would expect it soon
1 is going to likely be dropped according to this thread

10 remaining patches are audit patches.

There is already a viro/audit-current.git tree on kernel.org where these
should be appearing.  I could make this a little easier for the audit
tree maintainer and make my own tree which he could pull from and then
push to Linus but a tree which should hold all of these does exist.  All
of them have been sent to the linux-audit mailing list and have been
commented on there.

I don't want to give the impression that upstream is not coming first.
All the work is being done upstream either on netdev or linux-audit and
then I pull it back into this LSPP kernel she talked about so that
people interested primarily in the testing necessary to meet that
particular government standard have a neat tidy little prebuild rpm to
work with.  Eventually all of these will show up in RHEL, but not until
all of the patches i'm dealing with are upstream.

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: Add security check before flushing SAD/SPD

[Eric Paris]

On Mon, 2007-03-26 at 13:39 -0600, Joy Latten wrote:
 + if ((err = security_xfrm_policy_delete(pol)) != 0) {
 + xfrm_audit_log(audit_info-loginuid,
 +audit_info-secid,
 +AUDIT_MAC_IPSEC_DELSPD,
 +err ? 0 : 1, pol, NULL);
 + return err;

In all of the denial log statements you keep the err ? 0 : 1 which are
common among audit, but in this patch we always know that err is 1. Is
it worth simplifying this down to just a 0 in the all of the
xfrm_audit_log calls?

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: SAD sometimes has double SAs.

[Eric Paris]

On Fri, 2007-03-23 at 16:58 -0600, Joy Latten wrote:

 @@ -710,11 +713,20 @@ static struct xfrm_state *__find_acq_cor
  
   switch (family) {
   case AF_INET:
 + if (x-id.daddr.a4 == saddr-a4 
 + x-props.saddr.a4 == daddr-a4)
 + track_opposite = 1;
   if (x-id.daddr.a4!= daddr-a4 ||
   x-props.saddr.a4 != saddr-a4)
   continue;
   break;
   case AF_INET6:
 + if (ipv6_addr_equal((struct in6_addr *)x-id.daddr.a6,
 +  (struct in6_addr *)saddr) ||
 + ipv6_addr_equal((struct in6_addr *)
 +  x-props.saddr.a6,
 +  (struct in6_addr *)daddr))
 + track_opposite = 1;
   if (!ipv6_addr_equal((struct in6_addr *)x-id.daddr.a6,
(struct in6_addr *)daddr) ||
   !ipv6_addr_equal((struct in6_addr *)

I'm not at all able to speak on the correctness or validity of the
solution, but shouldn't the ipv6 case be a  not an || like the ipv4
case?  Isn't this going to match all sorts of things?  Did you test this
patch on ipv6 and see it to solve your problem?

I'm also not enjoying the formatting in the ipv6 part where the first
time you have the cast on the same time as the object but not the second
part where x-props.saddr.a6 is on its own little line.

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: Add security check before flushing SAD/SPD

[Eric Paris]

On Fri, 2007-03-23 at 10:33 -0600, Joy Latten wrote:
 On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote:
 
  
  In either case though proper auditing needs to be addressed.  I see that
  the first patch from Joy wouldn't audit deletion failures.  It appears
  to me if the check is done per policy then the security hook return code
  needs to be recorded and passed to xfrm_audit_log instead of the hard
  coded 1 result used now.
  
  Assuming we go with James's double loop what should we be auditing for a
  security hook denial?  Just audit the first policy entry which we tried
  to remove but couldn't and then leave the rest of the auditing in those
  functions the way it is now in case there was no denial, calling
  xfrm_audit_log with a hard coded 1 for the result?
  
 Actually, I thought the original intent of the ipsec auditing was to
 just audit changes made to the SAD/SPD databases, not securiy hook
 denials, right? 

Then what is the point of the 'result' field that we capture and log in
xfrm_audit_log if the only things you care to audit are successful
changes to the databases?

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: Add security check before flushing SAD/SPD

[Eric Paris]

On Fri, 2007-03-23 at 11:47 -0700, David Miller wrote:
 From: James Morris [EMAIL PROTECTED]
 Date: Fri, 23 Mar 2007 14:46:48 -0400 (EDT)
 
  A 'flush' has a semantic implication that all entries will be removed, and 
  it should be atomic and either succeed or fail at that granularity.
 
 Correct.

Fair enough, does it matter that we have no way to report failure back
to users who can no longer assume success?

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: Add security check before flushing SAD/SPD

[Eric Paris]

On Thu, 2007-03-22 at 19:49 -0400, James Morris wrote:
 On Thu, 22 Mar 2007, Joy Latten wrote:
 
   I would look at this patch differently if there were some
   security level key being checked for a match here, which is
   an input key to the flush, but that is not what is happening
   here as the object is being looked at by itself.
  
  Yes, I understand what you are saying.
  I was concerned about having to check each entry
  to flush database.
  
  I did this patch because we check for authorization
  when deleting single specified entries from the SAD/SPD. It
  seem like a hole to me that we check for this, but that same
  user/process can delete the entire database with no checks.
 
 Indeed.  Removing an entry is modifying MAC policy, which requires 
 appropriate authorization.
 
 The security label is encapsulated with the object, which is why it's 
 passed to the security layer.
 
 Perhaps a better semantic would be to fail the entire flush operation if 
 one of the security checks failed.  e.g. loop through for permissions 
 first, then if all ok, loop through for deletion.

Maybe I'm way out on a limb here but if I am a regular user and I say
rm /tmp/* and I only have permissions to delete some of the files I
expect just those couple to be delete, not the whole operation denied.

It seems reasonable to me that the check for every policy (which is
between current-security-sid and xp-security-ctx_sid) makes sense.
There doesn't appear to me right offhand to be anything intrinsic in the
code which says that a flush request must flush everything or nothing.

In either case though proper auditing needs to be addressed.  I see that
the first patch from Joy wouldn't audit deletion failures.  It appears
to me if the check is done per policy then the security hook return code
needs to be recorded and passed to xfrm_audit_log instead of the hard
coded 1 result used now.

Assuming we go with James's double loop what should we be auditing for a
security hook denial?  Just audit the first policy entry which we tried
to remove but couldn't and then leave the rest of the auditing in those
functions the way it is now in case there was no denial, calling
xfrm_audit_log with a hard coded 1 for the result?

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: double SAs are created when using AH and ESP together

[Eric Paris]

On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote:
 From: Joy Latten [EMAIL PROTECTED]
 Date: Fri, 9 Mar 2007 17:14:54 -0600
 
  I noticed that in xfrm_state_add we look for the larval SA in a few
  places without checking for protocol match. So when using both 
  AH and ESP, whichever one gets added first, deletes the larval SA. 
  It seems AH always gets added first and ESP is always the larval 
  SA's protocol since the xfrm-tmpl has it first. Thus causing the
  additional km_query()
  
  Adding the check eliminates the double SA creation. 
  I know this may not seem like a complete solution and I will 
  continue to test and be on the lookout, but isn't having the
  check a good thing? So far I have tested SAs with just ESP, just AH
  and with both and all seems ok. 
  
  Please let me know if this patch is ok. 
  My kernel was 2.6.20-rc3-git3.
  
  Signed-off-by: Joy Latten [EMAIL PROTECTED]
 
 Generally it looks OK, but I'm going to let this one sit for
 a while before I apply it so that other folks can review it
 too and spot any unintended consequences.
 
 In particular, I find it strance that we didn't check the
 protocol field all this time and I wonder whether that might
 be on purpose for some reason.

At least the first hunk of this patch used to be checked back in
net/ipv4/xfrm4_state.c in __xfrm4_find_acq and looks like it just was
accidentally forgotten when there was a transition to using
__find_acq_core

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2770834c9f44afd1bfa13914c7285470775af657

Since Joy found this problem on a 2.6.18 kernel originally which was
before this diff and had the proto check I'm guessing it is actually the
second hunk which is more relevant to the problem.

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget

[Eric Paris]

On Wed, 2007-03-07 at 16:07 -0800, David Miller wrote:
 From: David Miller [EMAIL PROTECTED]
 Date: Wed, 07 Mar 2007 15:43:16 -0800 (PST)
 
  From: Eric Paris [EMAIL PROTECTED]
  Date: Fri, 02 Mar 2007 13:51:24 -0500
  
   pfkey_spdget neither had an LSM security hook nor auditing for the
   removal of xfrm_policy structs.  The security hook was added when it was
   moved into xfrm_policy_byid instead of the callers to that function by
   my earlier patch and this patch adds the auditing hooks as well.
   
   Signed-off-by: Eric Paris [EMAIL PROTECTED]
  
  Applied.
 
 This patch was missing an openning brace on the if (delete) line.
 Eric you don't post patches without at least compile testing
 them now do you? :-)
 
 I fixed this up, but I will just kick it back to you next time,
 and I will likely growl very loudly in your general direction
 too. ;)

I lose at using git.  Sorry.  I'll be more careful to check that all of
my changes on the current branch are committed before I run my git diff.
Or maybe someone will convince me to use git in an all new better way.
I created a branch that has your tree and then created a new branch off
of that for my changes.  I checked out my branch made my patch and
commited.  I then tried to compile failed and fixed it up.  I then
compiled, booted, and tested.  When I thought it was working I did a

git diff miller..my-branch-with-pfkey_spdget

which didn't have my fix up because i didn't commit it to my local
branch.  Is there a better way to get a diff between my miller tree and
'everything in the branch I have checked out even if it is not
committed'?

Sorry, even if there are no ideas I'll be more careful.

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH] xfrm_policy delete security check misplaced

[Eric Paris]

On Mon, 2007-03-05 at 11:39 -0500, James Morris wrote:
 On Mon, 5 Mar 2007, Venkat Yekkirala wrote:
 
   
   Signed-off-by: Eric Paris [EMAIL PROTECTED]
  Acked-by: Venkat Yekkirala [EMAIL PROTECTED] 
 
 What about your previous comment:
 
  I guess you meant to do this here?
 else if (err)
 return err; 

That also gets taken care of in the pfkey_spdget cleanup in a later
patch.  The return isn't in that same place venkat suggested it instead
happens inside the new if (delete) block.  (err is only non-zero on
delete operations so there is no need to check it otherwise)

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] xfrm_policy delete security check misplaced

[Eric Paris]

The security hooks to check permissions to remove an xfrm_policy were
actually done after the policy was removed.  Since the unlinking and
deletion are done in xfrm_policy_by* functions this moves the hooks
inside those 2 functions.  There we have all the information needed to
do the security check and it can be done before the deletion.  Since
auditing requires the result of that security check err has to be passed
back and forth from the xfrm_policy_by* functions.  

This patch also fixes a bug where a deletion that failed the security
check could cause improper accounting on the xfrm_policy
(xfrm_get_policy didn't have a put on the exit path for the hold taken
by xfrm_policy_by*)

It also fixes the return code when no policy is found in
xfrm_add_pol_expire.  In old code (at least back in the 2.6.18 days) err
wasn't used before the return when no policy is found and so the
initialization would cause err to be ENOENT.  But since err has since
been used above when we don't get a policy back from the xfrm_policy_by*
function we would always return 0 instead of the intended ENOENT.  Also
fixed some white space damage in the same area. 

Signed-off-by: Eric Paris [EMAIL PROTECTED]

 include/net/xfrm.h |5 +++--
 net/key/af_key.c   |6 ++
 net/xfrm/xfrm_policy.c |   18 --
 net/xfrm/xfrm_user.c   |   19 +--
 4 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 92a1fc4..5a00aa8 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -988,8 +988,9 @@ extern int xfrm_policy_walk(u8 type, int (*func)(struct 
xfrm_policy *, int, int,
 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
  struct xfrm_selector *sel,
- struct xfrm_sec_ctx *ctx, int delete);
-struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete);
+ struct xfrm_sec_ctx *ctx, int delete,
+ int *err);
+struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int 
*err);
 void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
 u32 xfrm_get_acqseq(void);
 void xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi);
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1c58204..3542435 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2294,14 +2294,12 @@ static int pfkey_spddelete(struct sock *sk, struct 
sk_buff *skb, struct sadb_msg
}
 
xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, 
pol-sadb_x_policy_dir-1,
-  sel, tmp.security, 1);
+  sel, tmp.security, 1, err);
security_xfrm_policy_free(tmp);
 
if (xp == NULL)
return -ENOENT;
 
-   err = security_xfrm_policy_delete(xp);
-
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
   AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
 
@@ -2552,7 +2550,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *h
return -EINVAL;
 
xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol-sadb_x_policy_id,
- hdr-sadb_msg_type == SADB_X_SPDDELETE2);
+ hdr-sadb_msg_type == SADB_X_SPDDELETE2, err);
if (xp == NULL)
return -ENOENT;
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 946b715..0c3a70a 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -735,12 +735,14 @@ EXPORT_SYMBOL(xfrm_policy_insert);
 
 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
  struct xfrm_selector *sel,
- struct xfrm_sec_ctx *ctx, int delete)
+ struct xfrm_sec_ctx *ctx, int delete,
+ int *err)
 {
struct xfrm_policy *pol, *ret;
struct hlist_head *chain;
struct hlist_node *entry;
 
+   *err = 0;
write_lock_bh(xfrm_policy_lock);
chain = policy_hash_bysel(sel, sel-family, dir);
ret = NULL;
@@ -750,6 +752,11 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
xfrm_sec_ctx_match(ctx, pol-security)) {
xfrm_pol_hold(pol);
if (delete) {
+   *err = security_xfrm_policy_delete(pol);
+   if (*err) {
+   write_unlock_bh(xfrm_policy_lock);
+   return pol;
+   }
hlist_del(pol-bydst);
hlist_del(pol-byidx

[PATCH] Add xfrm policy change auditing to pfkey_spdget

[Eric Paris]

pfkey_spdget neither had an LSM security hook nor auditing for the
removal of xfrm_policy structs.  The security hook was added when it was
moved into xfrm_policy_byid instead of the callers to that function by
my earlier patch and this patch adds the auditing hooks as well.

Signed-off-by: Eric Paris [EMAIL PROTECTED]

 net/key/af_key.c |   17 +++--
 1 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3542435..7cbf0a2 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff 
*skb,
 static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg 
*hdr, void **ext_hdrs)
 {
unsigned int dir;
-   int err;
+   int err = 0, delete;
struct sadb_x_policy *pol;
struct xfrm_policy *xp;
struct km_event c;
@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *h
if (dir = XFRM_POLICY_MAX)
return -EINVAL;
 
+   delete = (hdr-sadb_msg_type == SADB_X_SPDDELETE2);
xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol-sadb_x_policy_id,
- hdr-sadb_msg_type == SADB_X_SPDDELETE2, err);
+ delete, err);
if (xp == NULL)
return -ENOENT;
 
-   err = 0;
+   if (delete)
+   xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
+  AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
 
-   c.seq = hdr-sadb_msg_seq;
-   c.pid = hdr-sadb_msg_pid;
-   if (hdr-sadb_msg_type == SADB_X_SPDDELETE2) {
+   if (err)
+   goto out;
+   c.seq = hdr-sadb_msg_seq;
+   c.pid = hdr-sadb_msg_pid;
c.data.byid = 1;
c.event = XFRM_MSG_DELPOLICY;
km_policy_notify(xp, dir, c);
@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *h
err = key_pol_get_resp(sk, xp, hdr, dir);
}
 
+out:
xfrm_pol_put(xp);
return err;
 }


-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa

[Eric Paris]

Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if
there was any permission/security failures in attempting to do the del
operation (such as permission denied from security_xfrm_state_delete).
This patch moves the audit hook to the exit path such that all failures
(and successes) will actually get audited.

Signed-off-by: Eric Paris [EMAIL PROTECTED]

 net/key/af_key.c |5 ++---
 net/xfrm/xfrm_user.c |5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1c58204..d8fc88c 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1467,9 +1467,6 @@ static int pfkey_delete(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *h
 
err = xfrm_state_delete(x);
 
-   xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
-
if (err  0)
goto out;
 
@@ -1478,6 +1475,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff 
*skb, struct sadb_msg *h
c.event = XFRM_MSG_DELSA;
km_state_notify(x, c);
 out:
+   xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
+  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
xfrm_state_put(x);
 
return err;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 956cfe0..4264473 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr 
*nlh,
 
err = xfrm_state_delete(x);
 
-   xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
-
if (err  0)
goto out;
 
@@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr 
*nlh,
km_state_notify(x, c);
 
 out:
+   xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
xfrm_state_put(x);
return err;
 }


-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3] mlsxfrm: Various fixes

[Eric Paris]

On Tue, 2006-11-07 at 11:17 -0600, Venkat Yekkirala wrote:
  int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
 - struct xfrm_user_sec_ctx *uctx, struct sock *sk)
 + struct xfrm_user_sec_ctx *uctx)
  {
   int err;
 - u32 sid;
  
 - BUG_ON(!xp);
 - BUG_ON(uctx  sk);
 -
 - if (sk) {
 - struct sk_security_struct *ssec = sk-sk_security;
 - sid = ssec-sid;
 - }
 - else
 - sid = SECSID_NULL;
 + BUG_ON(!xp || !uctx);
  
 - err = selinux_xfrm_sec_ctx_alloc(xp-security, uctx, NULL, sid);
 + err = selinux_xfrm_sec_ctx_alloc(xp-security, uctx, 0);
   return err;
  }

BUG_ON() with an || makes this a slight bit trickier to debug if
something goes wrong.  I'd have to dig around a little in the assembly
and look at the registers in the back trace to know which of the 2 was
the problem.  I personally would rather have a seperate

BUG_ON(!xp);
BUG_ON(!uctx);

probably not worth resubmitting, but if you have to make another set of
these

-Eric

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] update bonding.txt to not show ip address on slaves

[Eric Paris]

ifenslave, as of abi version 2, does not set the ip address on the slave
interfaces.  The documentation example however still shows that the
ensalved interfaces should have the same IP as the master.  The patch
simply removes the lines from the example which should no longer appear.

Signed-off-by: Eric Paris [EMAIL PROTECTED]

 bonding.txt |2 --
 1 files changed, 2 deletions(-)

--- linux-2.6.14.2/Documentation/networking/bonding.txt.old 2006-01-06 
11:47:31.0 -0500
+++ linux-2.6.14.2/Documentation/networking/bonding.txt 2006-01-06 
11:49:18.0 -0500
@@ -944,7 +944,6 @@ bond0 Link encap:Ethernet  HWaddr 00
   collisions:0 txqueuelen:0
 
 eth0  Link encap:Ethernet  HWaddr 00:C0:F0:1F:37:B4
-  inet addr:XXX.XXX.XXX.YYY  Bcast:XXX.XXX.XXX.255  Mask:255.255.252.0
   UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
   RX packets:3573025 errors:0 dropped:0 overruns:0 frame:0
   TX packets:1643167 errors:1 dropped:0 overruns:1 carrier:0
@@ -952,7 +951,6 @@ eth0  Link encap:Ethernet  HWaddr 00
   Interrupt:10 Base address:0x1080
 
 eth1  Link encap:Ethernet  HWaddr 00:C0:F0:1F:37:B4
-  inet addr:XXX.XXX.XXX.YYY  Bcast:XXX.XXX.XXX.255  Mask:255.255.252.0
   UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
   RX packets:3651769 errors:0 dropped:0 overruns:0 frame:0
   TX packets:1643480 errors:0 dropped:0 overruns:0 carrier:0


-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html