This patch adds auditing support to the NetLabel static labeling mechanism.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first checks to see if any recognized NetLabel packet
labeling protocols are in-use on the packet. If none can be found then the
unlabled connection table is queried and based on the packets incoming
interface and address it is matched with a security label as configured by the
administrator using the netlabel_tools package. The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased. In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed. These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.
NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.
This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6.25: (1470 commits)
[IPV6] ADDRLABEL: Fix double free on label deletion.
[PPP]: Sparse warning fixes.
[IPV4] fib_trie: remove unneeded NULL check
[IPV4] fib_trie: More whitespace cleanup.
[NET_SCHED]: Use nla_policy for attribute validation in ematches
[NET_SCHED]: Use nla_policy for attribute validation in actions
[NET_SCHED]: Use nla_policy for attribute validation in classifiers
[NET_SCHED]: Use nla_policy for attribute validation in packet schedulers
[NET_SCHED]: sch_api: introduce constant for rate table size
[NET_SCHED]: Use typeful attribute parsing helpers
[NET_SCHED]: Use typeful attribute construction helpers
[NET_SCHED]: Use NLA_PUT_STRING for string dumping
[NET_SCHED]: Use nla_nest_start/nla_nest_end
[NET_SCHED]: Propagate nla_parse return value
[NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_get
[NET_SCHED]: act_api: use nlmsg_parse
[NET_SCHED]: act_api: fix netlink API conversion bug
[NET_SCHED]: sch_netem: use nla_parse_nested_compat
[NET_SCHED]: sch_atm: fix format string warning
[NETNS]: Add namespace for ICMP replying code.
...
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: (68 commits)
[MIPS] remove Documentation/mips/GT64120.README
[MIPS] Malta: remaining bits of the board support code cleanup
[MIPS] Malta: make the helper function static
[MIPS] Malta: fix braces at single statement blocks
[MIPS] Malta, Atlas: move an extern function declaration to the header file
[MIPS] Malta: Use C89 style for comments
[MIPS] Malta: else should follow close brace in malta_int.c
[MIPS] Malta: remove a superfluous comment
[MIPS] Malta: include <linux/cpu.h> instead of <asm/cpu.h>
[MIPS] Malta, Atlas, Sead: remove an extern from .c files
[MIPS] Malta: fix oversized lines in malta_int.c
[MIPS] Malta: remove a dead function declaration
[MIPS] Malta: use tabs not spaces
[MIPS] Malta: set up the screen info in a separate function
[MIPS] Malta: check the PCI clock frequency in a separate function
[MIPS] Malta: use the KERN_ facility level in printk()
[MIPS] Malta: use Linux kernel style for structure initialization
[MIPS]: constify function pointer tables
[MIPS] compat: handle argument endianess of sys32_(f)truncate64 with merge_64
[MIPS] Cobalt 64-bits kernels can be safely unmarked experimental
...
* git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild: (79 commits)
Remove references to "make dep"
kconfig: document use of HAVE_*
Introduce new section reference annotations tags: __ref, __refdata, __refconst
kbuild: warn about ld added unique sections
kbuild: add verbose option to Section mismatch reporting in modpost
kconfig: tristate choices with mixed tristate and boolean values
asm-generic/vmlix.lds.h: simplify __mem{init,exit}* dependencies
remove __attribute_used__
kbuild: support ARCH=x86 in buildtar
kconfig: remove "enable"
kbuild: simplified warning report in modpost
kbuild: introduce a few helpers in modpost
kbuild: use simpler section mismatch warnings in modpost
kbuild: link vmlinux.o before kallsyms passes
kbuild: introduce new option to enhance section mismatch analysis
Use separate sections for __dev/__cpu/__mem code/data
compiler.h: introduce __section()
all archs: consolidate init and exit sections in vmlinux.lds.h
kbuild: check section names consistently in modpost
kbuild: introduce blacklisting in modpost
...
* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
Module: check to see if we have a built in module with the same name
module: add module taint on ndiswrapper
module: fix the module name length in param_sysfs_builtin
module: make module_address_lookup safe
module: better OOPS and lockdep coverage for loading modules
module: Fix gratuitous sprintf in module.c
module: wait for dependent modules doing init.
module: Don't report discarded init pages as kernel text.
This was compile-tested using default configs for the boards
affected by this change.
This patch does not introduce any functional changes.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
This patch moves the "extern" declaration for the function
mips_reboot_setup() from the board setup .c files to the
header file include/asm-mips/mips-boards/generic.h.
This fixes a warning produced by the checkpatch.pl script.
No functional changes introduced.
This was compile-tested by building the kernel for all
three boards affected by this change. All builds finished
successfully.
Signed-off-by: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
The Qemu platform was originally implemented to have an easily supportable
platform until Qemu reaches a state where it emulates a real world system.
Since the latest release Qemu is capable of emulating the MIPSsim and
Malta platforms, so this goal has been reached. The Qemu plaform is also
rather underfeatured so less useful than a Malta emulation.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Removed unneeded button check for reset.
Because, the Cobalt has power switch.
Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
- EISA support for non PCI RMs (RM200 and RM400-xxx). The major part
is the splitting of the EISA and onboard ISA of the RM200, which
makes the EISA bus on the RM200 look like on other RMs.
- 64bit kernel support
- system type detection is now common for big and little endian
- moved sniprom code to arch/mips/fw
- added call_o32 function to arch/mips/fw/lib, which uses a private
stack for calling prom functions
- fix problem with ISA interrupts, which makes using PIT clockevent
possible
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
This patch adds IDs for new Au1200 variants: Au1210 and Au1250.
They are essentially identical to the Au1200 except for the Au1210
which has a different SoC-ID in the PRId register [bits 31:24].
The Au1250 is a "Au1200 V0.2".
Signed-off-by: Manuel Lauss <mano@roarinelk.homelinux.net>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Add support for SGI IP28 machines (Indigo 2 with R10k CPUs)
This work is mainly based on Peter Fuersts work.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
According to Broadcom the PT systems are production test systems which
never reached customers so no need to keep the fragmentary support we
currently have.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
IP28 needs special treatment to avoid speculative accesses. gcc
takes care for .c code, but for assembly code we need to do it
manually.
This is taken from Peter Fuersts IP28 patches.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
This patch adds support for txx9wdt driver to rbhma3100, rbhma4200 and
rbhma4500 platform.
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
R10k non coherent machines need a real dma cache invalidate to get rid of
speculative stores in cache. For other machines this promises a slight
speedup.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
