t;valid)
> goto unlabel_getattr_nolabel;
> +
> +#if IS_ENABLED(CONFIG_IPV6)
> + /* When resolving a fallback label, check the sk_buff version as
> +* it is possible (e.g. SCTP) to have family = PF_INET6 while
> +* receiving ip_hdr(skb)->version = 4.
> +*/
> + if (family == PF_INET6 && ip_hdr(skb)->version == 4)
> + family = PF_INET;
> +#endif /* IPv6 */
> +
It seems like this should be pulled out into it's own patch as a fix
that extends beyond SCTP, what do you think?
--
paul moore
www.paul-moore.com
int, yes?
> + | |
> + | net/sctp/socket.c sctp_copy_sock()
> + | If SCTP_SOCKET_TCP or peeled off
> + | socket security_sctp_sk_clone() is
> + | called to clone the new socket.
In this case we are establishing a new association for a given endpoint, yes?
> + | |
> + ESTABLISHEDESTABLISHED
> + | |
> +--
> +| Association Established|
> +--
> +
> +
--
paul moore
www.paul-moore.com
bit more work (lookup in state hash
> table) if we can reuse the xdst entry (we only avoid xdst alloc/free)
> but we don't add a lot of extra work in case we can't reuse.
>
> xfrm_pol_dead() check is removed, reasoning is that
> xfrm_tmpl_resolve does all needed checks.
>
> Cc:
On Thu, Nov 2, 2017 at 8:58 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
>> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de>
>> wrote:
>> > Paul Moore <p...@paul-moore.com> wrot
On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de> wrote:
> Paul Moore <p...@paul-moore.com> wrote:
>> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> > matching before (as in this patch) or after calling xfrm
0 &&
> + (!xdst->u.dst.xfrm->sel.family ||
> +xfrm_selector_match(>u.dst.xfrm->sel, fl,
> +xdst->u.dst.xfrm->sel.family)) &&
> + security_xfrm_state_pol_flow_match(xdst->u.dst.xfrm,
>
kernel/bpf/syscall.c | 4 ++--
> security/selinux/hooks.c | 49
>
> 3 files changed, 54 insertions(+), 2 deletions(-)
Same thing as 4/5.
Acked-by: Paul Moore <p...@paul-moore.com>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 84c192da3e0b..1e33
| 4 ++
> 3 files changed, 117 insertions(+)
Not sure if DaveM has merged this into net-next yet, but it looks
reasonable to me.
Acked-by: Paul Moore <p...@paul-moore.com>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f5d304736852..12cf7de8cbed 10
On Thu, Oct 19, 2017 at 12:25 PM, Eric W. Biederman
<ebied...@xmission.com> wrote:
> Paul Moore <p...@paul-moore.com> writes:
>
>> On Wed, Oct 18, 2017 at 8:43 PM, Eric W. Biederman
>> <ebied...@xmission.com> wrote:
>>> Aleksa Sarai <asa...@s
ity arguments, welcome back old friend :)
Once again, we're still trying to sort all this out so I reserve the
right to change my mind, but my current thinking is as follows ...
CAP_AUDIT_WRITE exists to control which applications can submit
userspace generated audit records to the kernel, CAP_AUDIT_CON
dit
> namespace''.
In an attempt to stay on-topic, let's try to stick with "audit
container ID" or "container ID" if you must. I really want to avoid
the term "audit namespace" simply because the term "namespace" implies
some things which we aren't planning on doing.
--
paul moore
www.paul-moore.com
has an unset audit container ID) but provides a blank slate for
the orchestrator(s).
> For nested containers, I actually think the label should be
> hierarchical, so you can add a label for the new nested container but
> it still also contains its parents label as well.
I haven't made up my mind on this completely just yet, but I'm
currently of the mindset that supporting multiple audit container IDs
on a given process is not a good idea.
--
paul moore
www.paul-moore.com
ntionally trying to limit its scope in an attempt to limit
problems. If a more general solution appears in the future I think we
would make every effect to migrate to that; keeping this initial
effort small should make that easier.
--
paul moore
www.paul-moore.com
On Thu, Aug 10, 2017 at 3:13 PM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> Signed-off-by: Paul Moore <p...@paul-moore.com>
> ---
> MAINTAINERS | 24 ++--
> 1 file changed, 14 insertions(+), 10 d
From: Paul Moore <p...@paul-moore.com>
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
MAINTAINERS | 24 ++--
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index 65990909fe73..be25ebaaeec3 100644
--- a/MAINT
20 and the first byte of ip
> option is 0, produce this issue
>
> Signed-off-by: yujuan.qi <yujuan...@mediatek.com>
> ---
> net/ipv4/cipso_ipv4.c | 12 ++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
Considering I gave you the code below I should probably ack it
case IPOPT_NOOP:
taglen = 1;
break;
default:
taglen = optptr[1];
}
optlen -= taglen;
optptr += taglen;
}
--
paul moore
security @ redhat
On Tue, Jul 25, 2017 at 5:59 AM, Paolo Abeni <pab...@redhat.com> wrote:
> On Mon, 2017-07-24 at 22:00 -0400, Paul Moore wrote:
>> > I'm happy to test this, but if you are curious, you can find the
>> > selinux-testsuite at the link below; the "inet_socket&q
On Mon, Jul 24, 2017 at 3:00 PM, Paul Moore <p...@paul-moore.com> wrote:
> On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni <pab...@redhat.com> wrote:
>> Hi,
>>
>> On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote:
>>> The change in behavi
On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni <pab...@redhat.com> wrote:
> Hi,
>
> On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote:
>> The change in behavior for userspace makes me a little nervous as
>> there is no way of knowing how any random application
On Mon, Jul 24, 2017 at 8:25 AM, Paolo Abeni <pab...@redhat.com> wrote:
> Hi,
>
> On Fri, 2017-07-21 at 18:19 -0400, Paul Moore wrote:
>> I've been seeing a SELinux regression with IP_PASSSEC on the v4.13-rcX
>> kernels and finally tracked the problem down to the
>&
the problem; my
initial thought would be to simply make the skb_release_head_state()
conditional on the skb->sp pointer, much like the IP options fix, but
I'm not sure if you have a more clever idea.
--
paul moore
www.paul-moore.com
d-off-by: Richard Haines <richard_c_hai...@btinternet.com>
> ---
> net/ipv6/calipso.c | 6 +-
> 1 file changed, 5 insertions(+), 1 deletion(-)
Acked-by: Paul Moore <p...@paul-moore.com>
Thanks Richard. DaveM, I assume you'll be pulling this into your tree?
> diff
uce the potential merge conflict. However,
>> that's a relatively small thing to worry about.
--
paul moore
www.paul-moore.com
afe struct timespec64 to represent the times.
> The log strings can handle this transition as strings can
> hold upto 1024 characters.
>
> Signed-off-by: Deepa Dinamani <deepa.ker...@gmail.com>
> Reviewed-by: Arnd Bergmann <a...@arndb.de>
> Acked-by: Paul Moore <
On Fri, Mar 10, 2017 at 7:01 AM, Paul Moore <p...@paul-moore.com> wrote:
> On Thu, Mar 9, 2017 at 2:12 AM, David Miller <da...@davemloft.net> wrote:
>> From: Alexander Potapenko <gli...@google.com>
>> Date: Mon, 6 Mar 2017 19:46:14 +0100
>>
>>> KMS
), which uses them to calculate a hash.
>>
>> Signed-off-by: Alexander Potapenko <gli...@google.com>
>
> Are the SELINUX folks going to pick this up or should I?
Yes, it's on my list of things to merge, I was just a bit distracted
this week with yet another audit problem. I'm going to start making
my way through the patch backlog today.
--
paul moore
www.paul-moore.com
On Wed, Mar 8, 2017 at 8:25 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-03-07 14:23, Paul Moore wrote:
>> On Tue, Mar 7, 2017 at 1:44 PM, Paul Moore <p...@paul-moore.com> wrote:
>> > On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.c
On Tue, Mar 7, 2017 at 1:44 PM, Paul Moore <p...@paul-moore.com> wrote:
> On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> On 2017-03-07 09:29, Paul Moore wrote:
>>> On Mon, Mar 6, 2017 at 11:03 PM, Richard Guy Briggs <r...@redhat.c
On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-03-07 09:29, Paul Moore wrote:
>> On Mon, Mar 6, 2017 at 11:03 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-03-06 10:10, Cong Wang wrote:
>> >> On Mon, M
after the
> "quick_loop:" label. The condition on auditd is supposed to catch that
> case. We don't want it locked while playing with the scheduler at the
> bottom of that function.
Let me look into this and play around with a few things. I suspected
there might be a problem here, so I've got thoughts on how we might
resolve it; I just need to see code them up and see what option sucks
the least.
FWIW Richard, yes wrapping most of kauditd_thread *should* resolve
this but it's pretty heavy handed and not my first choice.
--
paul moore
www.paul-moore.com
security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -235,9 +235,11 @@ struct security_class_mapping secclass_map[] = {
>> { COMMON_SOCK_PERMS, NULL } },
>> { "qipcrtr_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> + { "smc_socket",
>> + { COMMON_SOCK_PERMS, NULL } },
>> { NULL }
>>};
>>
>> -#if PF_MAX > 43
>> +#if PF_MAX > 44
>> #error New address family defined, please update secclass_map.
>> #endif
>> --
>> 2.10.2
>
> This now applies when I merge the security tree (as it merged the
> selinux tree, presumably).
Yes, James just pulled the SELinux tree yesterday.
--
paul moore
www.paul-moore.com
pso: handle CIPSO options correctly when NetLabel is
> disabled")
> Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
> Cc: Paul Moore <p...@paul-m
sizeof(a))
> + return -EINVAL;
> +
> + if (copy_from_user(a, args, len))
> return -EFAULT;
> +
> + ret = audit_socketcall_compat(len / sizeof(a[0]), a);
> + if (ret)
> + return ret;
> +
> a0 = a[0];
> a1 = a[1];
>
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
On Mon, Jan 16, 2017 at 10:53 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-01-16 15:04, Paul Moore wrote:
>> On Fri, Jan 13, 2017 at 9:42 AM, Eric Paris <epa...@redhat.com> wrote:
>> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
&g
call, u32 __user *, args)
>> {
>> + unsigned int len;
>> int ret;
>> - u32 a[6];
>> + u32 a[AUDITSC_ARGS];
>> u32 a0, a1;
>
> Longest to shortest line for local variable declarations please.
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
true
> in Fedora I highly doubt that's true on the vast majority of systems
> that have audit compiled in.
Richard and I have talked about the likely/unlikely optimization
before and I know Richard likes to use them, but I don't for the
reasons Eric has already mentioned. Richard, sin
{ COMMON_SOCK_PERMS, NULL } },
> + { "smc_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> { NULL }
>};
>
> -#if PF_MAX > 43
> +#if PF_MAX > 44
> #error New address family defined, please update secclass_map.
> #endif
> --
> 2.10.2
>
> --
> Cheers,
> Stephen Rothwell
--
paul moore
www.paul-moore.com
From: Paul Moore <p...@paul-moore.com>
When we added CALIPSO support in Linux v4.8 we forgot to add it to the
list of supported protocols with display at boot.
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
net/netlabel/netlabel_kapi.c |5 +
1 file changed, 1 ins
On Tue, Dec 13, 2016 at 10:03 AM, Richard Guy Briggs wrote:
> Resetting audit_sock appears to be racy.
>
> audit_sock was being copied and dereferenced without using a refcount on
> the source sock.
>
> Bump the refcount on the underlying sock when we store a refrence in
>
{
> + (audit_replace(requesting_pid) &
> (-ECONNREFUSED|-EPERM|-ENOMEM))) {
Do we simply want to treat any error here as fatal, and not just
ECONN/EPERM/ENOMEM? If not, let's come up with a single macro to
handle the fatal netlink_unicast() return codes so we have some chance
to keep things consistent in the future.
--
paul moore
www.paul-moore.com
ask & AUDIT_STATUS_RATE_LIMIT) {
> @@ -1283,8 +1302,11 @@ static void __net_exit audit_net_exit(struct net *net)
> {
> struct audit_net *aunet = net_generic(net, audit_net_id);
> struct sock *sock = aunet->nlsk;
> - if (sock == audit_sock)
> + if (sock == audit_sock) {
> + mutex_lock(_cmd_mutex);
> auditd_reset();
> + mutex_unlock(_cmd_mutex);
> + }
>
> RCU_INIT_POINTER(aunet->nlsk, NULL);
> synchronize_net();
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
On Wed, Nov 30, 2016 at 2:58 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <pmo...@redhat.com>
> Date: Tue, 29 Nov 2016 17:11:29 -0500
>
>> From: Paul Moore <p...@paul-moore.com>
>>
>> Bring back commit bc51dddf98c9 ("netns: av
On Tue, Nov 29, 2016 at 5:11 PM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
> id") now that we've fixed some audit multicast issues that cause
From: Paul Moore <p...@paul-moore.com>
Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
id") now that we've fixed some audit multicast issues that caused
problems with original attempt. Additional information, and history,
can be found in the links
On Fri, Oct 21, 2016 at 11:38 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Fri, Oct 21, 2016 at 6:49 PM, Paul Moore <pmo...@redhat.com> wrote:
>> Eventually we should be able to reintroduce this code once we have
>> rewritten the audit multicast code to queue me
On Fri, Oct 21, 2016 at 11:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Fri, Oct 21, 2016 at 1:03 PM, Paul Moore <p...@paul-moore.com> wrote:
>> On Fri, Oct 21, 2016 at 2:02 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
>>> On Fri, Oct 21, 20
On Fri, Oct 21, 2016 at 4:53 PM, Paul Moore <p...@paul-moore.com> wrote:
> On Fri, Oct 21, 2016 at 4:33 PM, David Miller <da...@davemloft.net> wrote:
>> From: Paul Moore <p...@paul-moore.com>
>> Date: Fri, 21 Oct 2016 16:15:00 -0400
>>
>>> Howe
From: Paul Moore <p...@paul-moore.com>
This reverts commit bc51dddf98c9 ("netns: avoid disabling irq for
netns id") as it was found to cause problems with systems running
SELinux/audit, see the mailing list thread below:
* http://marc.info/?t=14769465392=1=2
Eventually w
On Fri, Oct 21, 2016 at 4:33 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Fri, 21 Oct 2016 16:15:00 -0400
>
>> However, that's not the case is it? Unless I missed something, the
>> fix that Cong Wang is advocating
On Fri, Oct 21, 2016 at 3:39 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2016-10-21 11:02, Cong Wang wrote:
>> On Fri, Oct 21, 2016 at 9:19 AM, Paul Moore <p...@paul-moore.com> wrote:
>> > On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyo
On Fri, Oct 21, 2016 at 2:02 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Fri, Oct 21, 2016 at 9:19 AM, Paul Moore <p...@paul-moore.com> wrote:
>> On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
>>> This is what I
On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Thu, Oct 20, 2016 at 12:07 PM, Paul Moore <p...@paul-moore.com> wrote:
>> On Thu, Oct 20, 2016 at 2:29 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
>>> On Thu, Oct 20,
lly we would just be moving the
multicast code from audit_log_end() into kauditd_thread(). This is
the same approach I mentioned earlier off-list.
However, that isn't something I want to mess with as a regression fix,
mostly because I really want to see this regression gone by -rc2 as it
is making S
the Smack attributes in the sk_security blob are not
> explicitly set the problem does not occur. I have the same
> result if I change the Smack attributes within the socket
> security blob as I do if I replace the security blob.
--
paul moore
www.paul-moore.com
On Wed, Jul 6, 2016 at 10:15 AM, Casey Schaufler <ca...@schaufler-ca.com> wrote:
> On 7/6/2016 5:50 AM, Paul Moore wrote:
>> On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com>
>> wrote:
>>> I have encountered a system hang with my Sma
On Wed, Jul 6, 2016 at 8:50 AM, Paul Moore <p...@paul-moore.com> wrote:
> On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com>
> wrote:
>> I have encountered a system hang with my Smack
>> networking tests that bisects to the change below.
>&
de after clearing the skb control buffer similar to IPv6.
> From there the pktinfo can just pull it from cb with the PKTINFO_SKB_CB
> cast.
>
>
> Signed-off-by: David S. Miller <da...@davemloft.net>
--
paul moore
www.paul-moore.com
p-by-hop option. CALIPSO is very similar to
>>> > its IPv4 cousin CIPSO and much of this series is based on that code.
>>>
>>> What tree do you expect to integrate this?
>>
>> My understanding is that Paul Moore is happy to take them
>> in via the SELin
>>
>> What tree do you expect to integrate this?
>
> My understanding is that Paul Moore is happy to take them
> in via the SELinux tree. However, these patches do touch
> some core networking code, such as the IPv6 option handling
> code (in a similar manner to the way
On Mon, Jun 13, 2016 at 10:16 AM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> In cases where the category bitmap is sparse enough that gaps exist
> between netlbl_lsm_catmap structs, callers to netlbl_catmap_getlong()
> could
From: Paul Moore <p...@paul-moore.com>
In cases where the category bitmap is sparse enough that gaps exist
between netlbl_lsm_catmap structs, callers to netlbl_catmap_getlong()
could find themselves prematurely ending their search through the
category bitmap. Further, the method
On Mon, Jun 13, 2016 at 6:08 AM, Ursula Braun <ubr...@linux.vnet.ibm.com> wrote:
>> From: Paul Moore <p...@paul-moore.com>
>>
>> Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we
>> properly clone the parent socket's LSM attributes to newly create
On Thu, Jun 9, 2016 at 8:59 AM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we
> properly clone the parent socket's LSM attributes to newly created
> child sockets.
>
From: Paul Moore <p...@paul-moore.com>
Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we
properly clone the parent socket's LSM attributes to newly created
child sockets.
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
net/iucv/af_iucv.c |5 -
1 fil
On Mon, Jun 6, 2016 at 3:35 PM, Paul Moore <pmo...@redhat.com> wrote:
> From: Paul Moore <p...@paul-moore.com>
>
> It seems risky to always rely on the caller to ensure the socket's
> address family is correct before passing it to the NetLabel kAPI,
> especially since we
From: Paul Moore <p...@paul-moore.com>
It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help p
w you how to do it correctly next time.
>
>>Second, this appears to only affect Smack based systems, yes? SELinux based
>>systems should have the proper checking in place to prevent this (the checks
>>are handled in the LSM). That said, it probably wouldn't hurt to add the
>
On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 06/01/2016 03:18 PM, Eric Dumazet wrote:
>> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote:
>>> Hello,
>>>
>>> I'm currently trying to debug a problem with 4.7-rc1 and la
soon and I can do a proper
bisection test around this patch, but I wanted to mention this now in
case others are seeing the same problem.
--
paul moore
www.paul-moore.com
On Mon, May 9, 2016 at 6:39 AM, Huw Davies <h...@codeweavers.com> wrote:
> On Fri, May 06, 2016 at 06:59:32PM -0400, Paul Moore wrote:
>> On Wed, Feb 17, 2016 at 8:22 AM, Huw Davies <h...@codeweavers.com> wrote:
>> > We check lengths, checksum and the DOI. We le
it . The protocol has changed
> very slightly from the v2 patches, so please update to the latest.
>
> This patch series is based off v4.5-rc4.
>
> Thanks to Paul Moore, Hannes Frederic Sowa, Casey Schaufler and Julia
> Lawall for their comments so far.
>
> Changes between v
] = {
> .type = IPV6_TLV_JUMBO,
> .func = ipv6_hop_jumbo,
> },
> + {
> + .type = IPV6_TLV_CALIPSO,
> + .func = ipv6_hop_calipso,
> + },
> { -1, }
> };
>
> --
> 2.7.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
paul moore
www.paul-moore.com
nel, not by the userland.
>From what I could tell from the patch description, it looks like
RTM_NEWSTATS only dumps stats to userspace and doesn't alter the state
of the kernel, is that correct? If so, then yes, NLMSG__READ is the
right SELinux permission. However, if RTM_NEWSTATS does al
g it in the future
shouldn't be a problem.
--
paul moore
www.paul-moore.com
On Thursday, April 07, 2016 01:45:32 AM Florian Westphal wrote:
> Paul Moore <p...@paul-moore.com> wrote:
> > On Wed, Apr 6, 2016 at 6:14 PM, Florian Westphal <f...@strlen.de> wrote:
> > > netfilter hooks are per namespace -- so there is hook unregister
enabling the SELinux netfilter hooks
across namespaces. Perhaps we can revisit this at a later time, but
let's keep it simple right now.
--
paul moore
www.paul-moore.com
s.c | 1 +
>> security/selinux/xfrm.c | 4 +++
>> 9 files changed, 96 insertions(+), 13 deletions(-)
>>
>
> Is there a patch 1/2?
Yes, there was (it was the "security: add hook ..." patch), but for
some reason it hasn't hit the archive that I normally use. Odd.
I'll fwd the patch to you off-list so as not to spam everyone again.
--
paul moore
www.paul-moore.com
On Wed, Apr 6, 2016 at 3:39 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Wed, 6 Apr 2016 14:36:43 -0400
>
>> On Wed, Apr 6, 2016 at 2:23 PM, David Miller <da...@davemloft.net> wrote:
>>> From: Paul Moore
On Wed, Apr 6, 2016 at 2:23 PM, David Miller <da...@davemloft.net> wrote:
> From: Paul Moore <p...@paul-moore.com>
> Date: Wed, 6 Apr 2016 10:07:27 -0400
>
>> "While marking the LSM hook structure doesn't directly affect the
>> SELinux netfilter hooks, on
On Wed, Apr 6, 2016 at 10:03 AM, Paolo Abeni <pab...@redhat.com> wrote:
> On Wed, 2016-04-06 at 08:33 -0400, Paul Moore wrote:
>> On Wed, Apr 6, 2016 at 5:51 AM, Paolo Abeni <pab...@redhat.com> wrote:
>> > Currently, selinux always registers iptables POSTROUTING hooks
directly affect the
SELinux netfilter hooks, once we remove the ability to deregister the
LSM hooks we will have no need to support deregistering netfilter
hooks and I expect we will drop that functionality as well to help
decrease the risk of tampering.
--
paul moore
www.paul-moore.com
On Mon, Mar 28, 2016 at 11:10 AM, Paul Moore <pmo...@redhat.com> wrote:
> From: Janak Desai <janak.de...@gtri.gatech.edu>
>
> We try to be clever and set large chunks of the bitmap at once, when
> possible; unfortunately we weren't very clever when we wrote
Desai <janak.de...@gtri.gatech.edu>
Signed-off-by: Paul Moore <p...@paul-moore.com>
---
net/netlabel/netlabel_kapi.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 28cddc8..1325776 100644
> + default:
> + /* Already checked in
> + * netlbl_domhsh_validate()
> + */
Another style point - unless were talking about function header comment
blocks, don't place a multi-line comment terminator on a separate line. For
example, instead of the above, so something like this:
/* already checked in
* netlbl_domhsh_validate() */
> + return -EINVAL;
> + }
> }
--
paul moore
security @ redhat
de/net/calipso.h b/include/net/calipso.h
> new file mode 100644
> index 000..ad4d653
> --- /dev/null
> +++ b/include/net/calipso.h
> @@ -0,0 +1,79 @@
> +/*
> + * CALIPSO - Common Architecture Label IPv6 Security Option
> + *
> + * This is an implementation of the C
other patches are most welcome.
>
> If anybody actually wants to play with this, then you'll need some patches
> to netlabel-tools that are currently available on the 'calipso' branch at:
> https://github.com/hdmdavies/netlabel_tools.git
>
> Thanks to Paul Moore, Hannes Frederic Sowa
set to NULL.
> + * Otherwise it returns zero, creates a new header without the CALIPSO
> + * option (and removing as much padding as possible) and returns with
> + * @new set to that header.
> + *
> + */
> +static int calipso_opt_del(struct ipv6_opt_hdr *old,
> +
12 +---
> net/ipv4/tcp_input.c| 3 +++
> net/ipv6/tcp_ipv6.c | 12 +---
> 4 files changed, 27 insertions(+), 7 deletions(-)
--
paul moore
security @ redhat
ret_val = netlbl_af6list_add(>list, >list6);
> if (ret_val != 0) {
> kfree(map);
--
paul moore
security @ redhat
gt; +}
I should preface this by saying that I don't have a strong opinion on this
either way, and given where the code lives it is really up to DaveM, but I
wonder if it might be better to create ipv6_renew_options_kern() as the common
helper function that is called by ipv6_renew_options().
--
paul moore
security @ redhat
return ret_val;
> +
> + if (len_delta) {
> + if (len_delta > 0)
> + skb_push(skb, len_delta);
> + else
> + skb_pull(skb, -len_delta);
> + memmove((char *)ip6_hdr - len_delta, ip6_hdr,
> + sizeof(*ip6_hdr) + start);
> + skb_reset_network_header(skb);
> + ip6_hdr = ipv6_hdr(skb);
> + }
--
paul moore
security @ redhat
never had the time to see it through to the end; I'm happy that
someone was finally able to get it finished.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
tate.
>
> This patch clones the sock's label from the parent sock and resolves the
> issue (similar to AF_BLUETOOTH protocol family).
>
> Cc: Paul Moore <pmo...@redhat.com>
> Cc: David Teigland <teigl...@redhat.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcel
duma...@google.com>
> Reported by: kernel test robot <ying.hu...@linux.intel.com>
> Cc: Paul Moore <p...@paul-moore.com>
> Cc: Stephen Smalley <s...@tycho.nsa.gov>
> Cc: Eric Paris <epa...@parisplace.org>
> ---
> include/net/sock.h |8
> net/sche
Make unix_sk() just like inet[6]_sk() by constify'ing the sock
parameter.
Signed-off-by: Paul Moore <pmo...@redhat.com>
---
include/net/af_unix.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index cb1b9bb..b36d837
or do so myself.
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
.git;a=commit;h=4c3a0a254e5d706d3fe01bf42261534858d05586
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
--- Paul Moore [EMAIL PROTECTED] wrote:
On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
Smack uses CIPSO labeling, but allows for unlabeled packets
by specifying
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
--- Paul Moore [EMAIL PROTECTED] wrote:
On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
... you shouldn't fix-up the return value from
netlbl_sock_setattr(). It only returns an error when there really
is an error
101 - 200 of 515 matches
Mail list logo