On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 17:59, Huw Davies wrote:
> > I'm confused about this one. AFAICS, this will drop packets that we
> > can't process. We don't send the icmp error, but I can certainly add
> > that.
Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label. This is used
for the outgoing SYN-ACK and for their child full-socket.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h | 6
ne
We check lengths, checksum and the DOI. We leave checking of the
level and categories for the socket layer.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/calipso.h | 6 ++
net/ipv6/calipso.c| 43 +++
net/ipv6/exthdrs.c
for
this the CALIPSO functions are registered at module init time.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/calipso.h | 79 +++
include/net/netlabel.h | 22
include/uapi/linux/audit.h | 2 +
net/ipv6/Makefile
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h
The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory
The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.
Signed-off-by: Huw Davies &l
for IPv4.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/inet_sock.h | 7 ++-
net/dccp/ipv6.c | 12 +---
net/ipv4/tcp_input.c| 3 +++
net/ipv6/tcp_ipv6.c | 12 +---
4 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/inclu
Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
The reply will contain:
NLBL_CALIPSO_A_MTYPE
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c
This patch series implements RFC 5570 - Common Architecture Label IPv6
Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
on IPv6 packets using a hop-by-hop option. CALIPSO very similar to
its IPv4 cousin CIPSO and much of this series is based on that code.
Most of this series
This fixes sparse errors of the form:
netlabel_domainhash.c:126:23: error: incompatible types in comparison
expression (different address spaces)
This patch also removes unnecessary initialization of static variables
to NULL.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
net/ne
Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h | 1 +
net/ipv6/calipso.c | 48 +
net/ne
CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
the equivalent CISPO code. The main difference is due to manipulating
the options in the hop-by-hop header.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/ipv6.h | 2 +
include/net/netl
.
calipso_cache_bucket_size - sets the size of a cache bucket.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/calipso.h | 6 +
include/net/netlabel.h | 9 +-
net/ipv6/calipso.c | 264 +++-
net/ipv6/sysctl_net_
to
LISTDEF to specify which address family to return.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
net/netlabel/netlabel_domainhash.c | 173 -
net/netlabel/netlabel_domainhash.h | 8 +-
net/netlabel/netlabel_kapi.c | 6 +-
net/ne
This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
net/netlabel/netlabel_domainhash.c | 40 +--
net/netlabel/netlabel_domainhash.h | 1 +
net/netlabel/netlabel_
If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option. This is in the same spirit as
the existing check for IPv4.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
security/selinux/netlabel.c | 17 -
1 file chang
Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 41
net/netlabel/netlabel_calipso.c
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/
This is to allow the CALIPSO labelling engine to use these.
Signed-off-by: Huw Davies <h...@codeweavers.com>
---
include/net/netlabel.h | 6 +++
net/ipv4/cipso_ipv4.c| 88 +---
net/netlabel/netlabel_kapi.
On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 12:46, Huw Davies wrote:
> >
> > +/* CALIPSO RFC 5570 */
> > +
> > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> > +{
> > + const uns
On Tue, Dec 22, 2015 at 09:28:37AM -0800, Casey Schaufler wrote:
> On 12/22/2015 3:46 AM, Huw Davies wrote:
> > This patch series implements RFC 5570 - Common Architecture Label IPv6
> > Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
> > on IPv6 packe
21 matches
Mail list logo
