)]}' { "log": [ { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "2bf49690325b62480a42f7afed5e9f164173c570", "tree": "bc8525f6a45ea3ffaed9449084df7644bcd4e3c2", "parents": [ "f322abf83feddc3c37c3a91794e0c5aece4af18e" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Tue Jul 14 12:14:09 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 17 08:37:18 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nHad to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit\ncan call common_lsm_audit and do the pre and post callbacks without\ndoing the actual dump. This makes it so that the patched version\nbehaves the same way as the unpatched version.\n\nAlso added a denied field to the selinux_audit_data private space,\nonce again to make it so that the patched version behaves like the\nunpatched.\n\nI\u0027ve tested and confirmed that AVCs look the same before and after\nthis patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be940d6279c30a2d7c4e8d1d5435f957f594d66d", "tree": "965805d563cb756879fd3595230c3ca205da76d1", "parents": [ "b3a633c8527ef155b1a4e22e8f5abc58f7af54c9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 10:39:36 2009 +1000" }, "message": "Revert \"SELinux: Convert avc_audit to use lsm_audit.h\"\n\nThis reverts commit 8113a8d80f4c6a3dc3724b39b470f3fee9c426b6.\n\nThe patch causes a stack overflow on my system during boot.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8113a8d80f4c6a3dc3724b39b470f3fee9c426b6", "tree": "27eb775108daaff8390ad564010a9f2fbd5187a2", "parents": [ "65c3f0a2d0f72d210c879e4974c2d222b7951321" ], "author": { "name": "Thomas Liu", "email": "tliu@redhat.com", "time": "Fri Jul 10 10:31:04 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jul 13 07:54:48 2009 +1000" }, "message": "SELinux: Convert avc_audit to use lsm_audit.h\n\nConvert avc_audit in security/selinux/avc.c to use lsm_audit.h,\nfor better maintainability and for less code duplication.\n\n - changed selinux to use common_audit_data instead of\n avc_audit_data\n - eliminated code in avc.c and used code from lsm_audit.h instead.\n\nI have tested to make sure that the avcs look the same before and\nafter this patch.\n\nSigned-off-by: Thomas Liu \u003ctliu@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "adf30907d63893e4208dfe3f5c88ae12bc2f25d5", "tree": "0f07542bb95de2ad537540868aba6cf87a86e17d", "parents": [ "511c3f92ad5b6d9f8f6464be1b4f85f0422be91a" ], "author": { "name": "Eric Dumazet", "email": "eric.dumazet@gmail.com", "time": "Tue Jun 02 05:19:30 2009 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jun 03 02:51:04 2009 -0700" }, "message": "net: skb-\u003edst accessors\n\nDefine three accessors to get/set dst attached to a skb\n\nstruct dst_entry *skb_dst(const struct sk_buff *skb)\n\nvoid skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)\n\nvoid skb_dst_drop(struct sk_buff *skb)\nThis one should replace occurrences of :\ndst_release(skb-\u003edst)\nskb-\u003edst \u003d NULL;\n\nDelete skb-\u003edst field\n\nSigned-off-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "86a264abe542cfececb4df129bc45a0338d8cdb9", "tree": "30152f04ba847f311028d5ca697f864c16c7ebb3", "parents": [ "f1752eec6145c97163dbce62d17cf5d928e28a27" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:18 2008 +1100" }, "message": "CRED: Wrap current-\u003ecred and a few other accessors\n\nWrap current-\u003ecred and a few other accessors to hide their actual\nimplementation.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b6dff3ec5e116e3af6f537d4caedcad6b9e5082a", "tree": "9e76f972eb7ce9b84e0146c8e4126a3f86acb428", "parents": [ "15a2460ed0af7538ca8e6c610fe607a2cd9da142" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:39:16 2008 +1100" }, "message": "CRED: Separate task security context from task_struct\n\nSeparate the task security context from task_struct. At this point, the\nsecurity data is temporarily embedded in the task_struct with two pointers\npointing to it.\n\nNote that the Alpha arch is altered as it refers to (E)UID and (E)GID in\nentry.S via asm-offsets.\n\nWith comment fixes Signed-off-by: Marc Dionne \u003cmarc.c.dionne@gmail.com\u003e\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "19b5b517a8b81a448be9b2bdaf18a761a7b9799e", "tree": "b1e83e331769d44f98e564c984acf3841261c2a8", "parents": [ "bda0c0afa7a694bb1459fd023515aca681e4d79a", "95fff33b8e306a4331024bbd31c0999d5bf48fcf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 21 16:01:40 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 21 16:01:40 2008 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:\n SELinux: one little, two little, three little whitespaces, the avc.c saga.\n SELinux: cleanup on isle selinuxfs.c\n changing whitespace for fun and profit: policydb.c\n SELinux: whitespace and formating fixes for hooks.c\n SELinux: clean up printks\n SELinux: sidtab.c whitespace, syntax, and static declaraction cleanups\n SELinux: services.c whitespace, syntax, and static declaraction cleanups\n SELinux: mls.c whitespace, syntax, and static declaraction cleanups\n SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups\n SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups\n SELinux: conditional.c whitespace, syntax, and static declaraction cleanups\n SELinux: avtab.c whitespace, syntax, and static declaraction cleanups\n SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups\n SELinux: nlmsgtab.c whitespace, syntax, and static declaraction cleanups\n SELinux: netnode.c whitespace, syntax, and static declaraction cleanups\n SELinux: netlink.c whitespace, syntax, and static declaraction cleanups\n SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups\n SELinux: netif.c whitespace, syntax, and static declaraction cleanups\n" }, { "commit": "3c1c88ab8ad8d1f7db74f719f2649a070190fd5e", "tree": "4801e6045ec34deb14b215b6e9b7b00dad5bb2da", "parents": [ "bfff3aa49765eb10053b58ee220949cfcc7a1a80" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 18 17:38:27 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 21 19:07:26 2008 +1000" }, "message": "SELinux: xfrm.c whitespace, syntax, and static declaraction cleanups\n\nThis patch changes xfrm.c to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocateion of { around struct and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d7b1acd3b524b39f418e463e836b48ac041954d6", "tree": "38e0c822bc6ed1aac05c51eb4f17c57c48f31766", "parents": [ "f42b38009e1dbd4509a865e5ea0e91a1722c979d" ], "author": { "name": "Matthew Wilcox", "email": "matthew@wil.cx", "time": "Tue Feb 26 10:49:01 2008 -0500" }, "committer": { "name": "Matthew Wilcox", "email": "willy@linux.intel.com", "time": "Fri Apr 18 22:17:25 2008 -0400" }, "message": "security: Remove unnecessary inclusions of asm/semaphore.h\n\nNone of these files use any of the functionality promised by\nasm/semaphore.h.\n\nSigned-off-by: Matthew Wilcox \u003cwilly@linux.intel.com\u003e\n" }, { "commit": "03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b", "tree": "1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7", "parents": [ "00447872a643787411c2c0cb1df6169dda8b0c47" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "message": "LSM: Make the Labeled IPsec hooks more stack friendly\n\nThe xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs\non the stack to work around the LSM API. This patch attempts to fix that\nproblem by changing the LSM API to require only the relevant \"security\"\npointers instead of the entire SPD entry; we do this for all of the\nsecurity_xfrm_policy*() functions to keep things consistent.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d621d35e576aa20a0ddae8022c3810f38357c8ff", "tree": "318e8aa890dbe715b901b11b019ebac3badb693d", "parents": [ "220deb966ea51e0dedb6a187c0763120809f3e64" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:43:36 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:26 2008 +1100" }, "message": "SELinux: Enable dynamic enable/disable of the network access checks\n\nThis patch introduces a mechanism for checking when labeled IPsec or SECMARK\nare in use by keeping introducing a configuration reference counter for each\nsubsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry\nis created the labeled IPsec/XFRM reference count is increased and when the\nentry is removed it is decreased. In the case of SECMARK, when a SECMARK\ntarget is created the reference count is increased and later decreased when the\ntarget is removed. These reference counters allow SELinux to quickly determine\nif either of these subsystems are enabled.\n\nNetLabel already has a similar mechanism which provides the netlbl_enabled()\nfunction.\n\nThis patch also renames the selinux_relabel_packet_permission() function to\nselinux_secmark_relabel_packet_permission() as the original name and\ndescription were misleading in that they referenced a single packet label which\nis not the case.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "57002bfb31283e84f694763ed4db0fb761b7d6a9", "tree": "7788e55754cbe3a86fdd7e73a1e5e15e2cb8ff1a", "parents": [ "dbeeb816e805091e7cfc03baf36dc40b4adb2bbd" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 31 16:47:19 2007 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@sdv.(none)", "time": "Thu Nov 08 08:55:04 2007 +1100" }, "message": "SELinux: suppress a warning for 64k pages.\n\nOn PowerPC allmodconfig build we get this:\n\nsecurity/selinux/xfrm.c:214: warning: comparison is always false due to limited range of data type\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c80544dc0b87bb65038355e7aafdc30be16b26ab", "tree": "176349304bec88a9de16e650c9919462e0dd453c", "parents": [ "0e9663ee452ffce0d429656ebbcfe69417a30e92" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Thu Oct 18 03:07:05 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Oct 18 14:37:31 2007 -0700" }, "message": "sparse pointer use of zero as null\n\nGet rid of sparse related warnings from places that use integer as NULL\npointer.\n\n[akpm@linux-foundation.org: coding-style fixes]\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nCc: Andi Kleen \u003cak@suse.de\u003e\nCc: Jeff Garzik \u003cjeff@garzik.org\u003e\nCc: Matt Mackall \u003cmpm@selenic.com\u003e\nCc: Ian Kent \u003craven@themaw.net\u003e\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Davide Libenzi \u003cdavidel@xmailserver.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "20510f2f4e2dabb0ff6c13901807627ec9452f98", "tree": "d64b9eeb90d577f7f9688a215c4c6c3c2405188a", "parents": [ "5c3b447457789374cdb7b03afe2540d48c649a36" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Oct 16 23:31:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Wed Oct 17 08:43:07 2007 -0700" }, "message": "security: Convert LSM into a static interface\n\nConvert LSM into a static interface, as the ability to unload a security\nmodule is not required by in-tree users and potentially complicates the\noverall security architecture.\n\nNeedlessly exported LSM symbols have been unexported, to help reduce API\nabuse.\n\nParameters for the capability and root_plug modules are now specified\nat boot.\n\nThe SECURITY_FRAMEWORK_VERSION macro has also been removed.\n\nIn a nutshell, there is no safe way to unload an LSM. The modular interface\nis thus unecessary and broken infrastructure. It is used only by out-of-tree\nmodules, which are often binary-only, illegal, abusive of the API and\ndangerous, e.g. silently re-vectoring SELinux.\n\n[akpm@linux-foundation.org: cleanups]\n[akpm@linux-foundation.org: USB Kconfig fix]\n[randy.dunlap@oracle.com: fix LSM kernel-doc]\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Chris Wright \u003cchrisw@sous-sol.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Serge E. Hallyn\" \u003cserue@us.ibm.com\u003e\nAcked-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Randy Dunlap \u003crandy.dunlap@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "910949a66839ff5f59fede5b7cb68ecf1453e22c", "tree": "6842924dba1c4af0397d06aa4b6363e8c26c220e", "parents": [ "0de085bb474f64e4fdb2f1ff3268590792648c7b" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Tue Jul 24 09:53:23 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 25 12:49:41 2007 -0400" }, "message": "SELinux: null-terminate context string in selinux_xfrm_sec_ctx_alloc\n\nxfrm_audit_log() expects the context string to be null-terminated\nwhich currently doesn\u0027t happen with user-supplied contexts.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3de4bab5b9f8848a0c16a4b1ffe0452f0d670237", "tree": "f65c12b53bf2ad02645ea31522f67e7318019498", "parents": [ "9f2ad66509b182b399a5b03de487f45bde623524" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Nov 17 17:38:54 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:24:14 2006 -0800" }, "message": "SELinux: peer secid consolidation for external network labeling\n\nNow that labeled IPsec makes use of the peer_sid field in the\nsk_security_struct we can remove a lot of the special cases between labeled\nIPsec and NetLabel. In addition, create a new function,\nsecurity_skb_extlbl_sid(), which we can use in several places to get the\nsecurity context of the packet\u0027s external label which allows us to further\nsimplify the code in a few places.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "67f83cbf081a70426ff667e8d14f94e13ed3bdca", "tree": "776a40733eacb9071478f865e6791daa3f6fd602", "parents": [ "6b877699c6f1efede4545bcecc367786a472eedb" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:26 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:34 2006 -0800" }, "message": "SELinux: Fix SA selection semantics\n\nFix the selection of an SA for an outgoing packet to be at the same\ncontext as the originating socket/flow. This eliminates the SELinux\npolicy\u0027s ability to use/sendto SAs with contexts other than the socket\u0027s.\n\nWith this patch applied, the SELinux policy will require one or more of the\nfollowing for a socket to be able to communicate with/without SAs:\n\n1. To enable a socket to communicate without using labeled-IPSec SAs:\n\nallow socket_t unlabeled_t:association { sendto recvfrom }\n\n2. To enable a socket to communicate with labeled-IPSec SAs:\n\nallow socket_t self:association { sendto };\nallow socket_t peer_sa_t:association { recvfrom };\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6b877699c6f1efede4545bcecc367786a472eedb", "tree": "c0a60dc90578fa9f16d4496e2700bc285eab47c0", "parents": [ "c1a856c9640c9ff3d70bbd8214b6a0974609eef8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:04:09 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:33 2006 -0800" }, "message": "SELinux: Return correct context for SO_PEERSEC\n\nFix SO_PEERSEC for tcp sockets to return the security context of\nthe peer (as represented by the SA from the peer) as opposed to the\nSA used by the local/source socket.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c1a856c9640c9ff3d70bbd8214b6a0974609eef8", "tree": "76166bf784edd968ffac8c3dcc607d73580c509a", "parents": [ "e8db8c99100750ade5a9b4072b9469cab718a5b7" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Wed Nov 08 17:03:44 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:31 2006 -0800" }, "message": "SELinux: Various xfrm labeling fixes\n\nSince the upstreaming of the mlsxfrm modification a few months back,\ntesting has resulted in the identification of the following issues/bugs that\nare resolved in this patch set.\n\n1. Fix the security context used in the IKE negotiation to be the context\n of the socket as opposed to the context of the SPD rule.\n\n2. Fix SO_PEERSEC for tcp sockets to return the security context of\n the peer as opposed to the source.\n\n3. Fix the selection of an SA for an outgoing packet to be at the same\n context as the originating socket/flow.\n\nThe following would be the result of applying this patchset:\n\n- SO_PEERSEC will now correctly return the peer\u0027s context.\n\n- IKE deamons will receive the context of the source socket/flow\n as opposed to the SPD rule\u0027s context so that the negotiated SA\n will be at the same context as the source socket/flow.\n\n- The SELinux policy will require one or more of the\n following for a socket to be able to communicate with/without SAs:\n\n 1. To enable a socket to communicate without using labeled-IPSec SAs:\n\n allow socket_t unlabeled_t:association { sendto recvfrom }\n\n 2. To enable a socket to communicate with labeled-IPSec SAs:\n\n allow socket_t self:association { sendto };\n allow socket_t peer_sa_t:association { recvfrom };\n\nThis Patch: Pass correct security context to IKE for use in negotiation\n\nFix the security context passed to IKE for use in negotiation to be the\ncontext of the socket as opposed to the context of the SPD rule so that\nthe SA carries the label of the originating socket/flow.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d", "tree": "293f595f737540a546ba186ba1f054389aa95f6f", "parents": [ "134b0fc544ba062498451611cb6f3e4454221b3d" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Thu Oct 05 15:42:18 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:37 2006 -0700" }, "message": "IPsec: correct semantics for SELinux policy matching\n\nCurrently when an IPSec policy rule doesn\u0027t specify a security\ncontext, it is assumed to be \"unlabeled\" by SELinux, and so\nthe IPSec policy rule fails to match to a flow that it would\notherwise match to, unless one has explicitly added an SELinux\npolicy rule allowing the flow to \"polmatch\" to the \"unlabeled\"\nIPSec policy rules. In the absence of such an explicitly added\nSELinux policy rule, the IPSec policy rule fails to match and\nso the packet(s) flow in clear text without the otherwise applicable\nxfrm(s) applied.\n\nThe above SELinux behavior violates the SELinux security notion of\n\"deny by default\" which should actually translate to \"encrypt by\ndefault\" in the above case.\n\nThis was first reported by Evgeniy Polyakov and the way James Morris\nwas seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nWith this patch applied, SELinux \"polmatching\" of flows Vs. IPSec\npolicy rules will only come into play when there\u0027s a explicit context\nspecified for the IPSec policy rule (which also means there\u0027s corresponding\nSELinux policy allowing appropriate domains/flows to polmatch to this context).\n\nSecondly, when a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return errors other than access denied,\nsuch as -EINVAL. We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe solution for this is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nThis patch: Fix the selinux side of things.\n\nThis makes sure SELinux polmatching of flow contexts to IPSec policy\nrules comes into play only when an explicit context is associated\nwith the IPSec policy rule.\n\nAlso, this no longer defaults the context of a socket policy to\nthe context of the socket since the \"no explicit context\" case\nis now handled properly.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf", "tree": "02adcb6fe6c346a8b99cf161ba5233ed1e572727", "parents": [ "cb969f072b6d67770b559617f14e767f47e77ece" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:29 2006 -0700" }, "message": "[MLSXFRM]: Auto-labeling of child sockets\n\nThis automatically labels the TCP, Unix stream, and dccp child sockets\nas well as openreqs to be at the same MLS level as the peer. This will\nresult in the selection of appropriately labeled IPSec Security\nAssociations.\n\nThis also uses the sock\u0027s sid (as opposed to the isec sid) in SELinux\nenforcement of secmark in rcv_skb and postroute_last hooks.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "beb8d13bed80f8388f1a9a107d07ddd342e627e8", "tree": "19d5763b9b3b8ff3969997565e5ec0edd6e4bd33", "parents": [ "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:12:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:27 2006 -0700" }, "message": "[MLSXFRM]: Add flow labeling\n\nThis labels the flows that could utilize IPSec xfrms at the points the\nflows are defined so that IPSec policy and SAs at the right label can\nbe used.\n\nThe following protos are currently not handled, but they should\ncontinue to be able to use single-labeled IPSec like they currently\ndo.\n\nipmr\nip_gre\nipip\nigmp\nsit\nsctp\nip6_tunnel (IPv6 over IPv6 tunnel device)\ndecnet\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "4e5ab4cb85683cf77b507ba0c4d48871e1562305", "tree": "aef7ba8b6050fcaccbaf0d05f8e5ba860a143eaf", "parents": [ "100468e9c05c10fb6872751c1af523b996d6afa9" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 09 00:33:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:30:05 2006 -0700" }, "message": "[SECMARK]: Add new packet controls to SELinux\n\nAdd new per-packet access controls to SELinux, replacing the old\npacket controls.\n\nPackets are labeled with the iptables SECMARK and CONNSECMARK targets,\nthen security policy for the packets is enforced with these controls.\n\nTo allow for a smooth transition to the new controls, the old code is\nstill present, but not active by default. To restore previous\nbehavior, the old controls may be activated at runtime by writing a\n\u00271\u0027 to /selinux/compat_net, and also via the kernel boot parameter\nselinux_compat_net. Switching between the network control models\nrequires the security load_policy permission. The old controls will\nprobably eventually be removed and any continued use is discouraged.\n\nWith this patch, the new secmark controls for SElinux are disabled by\ndefault, so existing behavior is entirely preserved, and the user is\nnot affected at all.\n\nIt also provides a config option to enable the secmark controls by\ndefault (which can always be overridden at boot and runtime). It is\nalso noted in the kconfig help that the user will need updated\nuserspace if enabling secmark controls for SELinux and that they\u0027ll\nprobably need the SECMARK and CONNMARK targets, and conntrack protocol\nhelpers, although such decisions are beyond the scope of kernel\nconfiguration.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "67644726317a8274be4a3d0ef85b9ccebaa90304", "tree": "c2bcf873d19d1b18d65e4f5d6d5c3cd613e9cb13", "parents": [ "66004a6ca23f2a2408b32cbe27fda0389fb8f9dc" ], "author": { "name": "Dave Jones", "email": "davej@redhat.com", "time": "Sun Apr 02 23:34:19 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Apr 09 12:35:53 2006 -0700" }, "message": "[SELINUX] Fix build after ipsec decap state changes.\n\n security/selinux/xfrm.c: In function \u0027selinux_socket_getpeer_dgram\u0027:\n security/selinux/xfrm.c:284: error: \u0027struct sec_path\u0027 has no member named \u0027x\u0027\n security/selinux/xfrm.c: In function \u0027selinux_xfrm_sock_rcv_skb\u0027:\n security/selinux/xfrm.c:317: error: \u0027struct sec_path\u0027 has no member named \u0027x\u0027\n\nSigned-off-by: Dave Jones \u003cdavej@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "2c7946a7bf45ae86736ab3b43d0085e43947945c", "tree": "b956f301033ebaefe8d2701b257edfd947f537f3", "parents": [ "be33690d8fcf40377f16193c463681170eb6b295" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:41:23 2006 -0800" }, "message": "[SECURITY]: TCP/UDP getpeersec\n\nThis patch implements an application of the LSM-IPSec networking\ncontrols whereby an application can determine the label of the\nsecurity association its TCP or UDP sockets are currently connected to\nvia getsockopt and the auxiliary data mechanism of recvmsg.\n\nPatch purpose:\n\nThis patch enables a security-aware application to retrieve the\nsecurity context of an IPSec security association a particular TCP or\nUDP socket is using. The application can then use this security\ncontext to determine the security context for processing on behalf of\nthe peer at the other end of this connection. In the case of UDP, the\nsecurity context is for each individual packet. An example\napplication is the inetd daemon, which could be modified to start\ndaemons running at security contexts dependent on the remote client.\n\nPatch design approach:\n\n- Design for TCP\nThe patch enables the SELinux LSM to set the peer security context for\na socket based on the security context of the IPSec security\nassociation. The application may retrieve this context using\ngetsockopt. When called, the kernel determines if the socket is a\nconnected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry\ncache on the socket to retrieve the security associations. If a\nsecurity association has a security context, the context string is\nreturned, as for UNIX domain sockets.\n\n- Design for UDP\nUnlike TCP, UDP is connectionless. This requires a somewhat different\nAPI to retrieve the peer security context. With TCP, the peer\nsecurity context stays the same throughout the connection, thus it can\nbe retrieved at any time between when the connection is established\nand when it is torn down. With UDP, each read/write can have\ndifferent peer and thus the security context might change every time.\nAs a result the security context retrieval must be done TOGETHER with\nthe packet retrieval.\n\nThe solution is to build upon the existing Unix domain socket API for\nretrieving user credentials. Linux offers the API for obtaining user\ncredentials via ancillary messages (i.e., out of band/control messages\nthat are bundled together with a normal message).\n\nPatch implementation details:\n\n- Implementation for TCP\nThe security context can be retrieved by applications using getsockopt\nwith the existing SO_PEERSEC flag. As an example (ignoring error\nchecking):\n\ngetsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, \u0026optlen);\nprintf(\"Socket peer context is: %s\\n\", optbuf);\n\nThe SELinux function, selinux_socket_getpeersec, is extended to check\nfor labeled security associations for connected (TCP_ESTABLISHED \u003d\u003d\nsk-\u003esk_state) TCP sockets only. If so, the socket has a dst_cache of\nstruct dst_entry values that may refer to security associations. If\nthese have security associations with security contexts, the security\ncontext is returned.\n\ngetsockopt returns a buffer that contains a security context string or\nthe buffer is unmodified.\n\n- Implementation for UDP\nTo retrieve the security context, the application first indicates to\nthe kernel such desire by setting the IP_PASSSEC option via\ngetsockopt. Then the application retrieves the security context using\nthe auxiliary data mechanism.\n\nAn example server application for UDP should look like this:\n\ntoggle \u003d 1;\ntoggle_len \u003d sizeof(toggle);\n\nsetsockopt(sockfd, SOL_IP, IP_PASSSEC, \u0026toggle, \u0026toggle_len);\nrecvmsg(sockfd, \u0026msg_hdr, 0);\nif (msg_hdr.msg_controllen \u003e sizeof(struct cmsghdr)) {\n cmsg_hdr \u003d CMSG_FIRSTHDR(\u0026msg_hdr);\n if (cmsg_hdr-\u003ecmsg_len \u003c\u003d CMSG_LEN(sizeof(scontext)) \u0026\u0026\n cmsg_hdr-\u003ecmsg_level \u003d\u003d SOL_IP \u0026\u0026\n cmsg_hdr-\u003ecmsg_type \u003d\u003d SCM_SECURITY) {\n memcpy(\u0026scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));\n }\n}\n\nip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow\na server socket to receive security context of the peer. A new\nancillary message type SCM_SECURITY.\n\nWhen the packet is received we get the security context from the\nsec_path pointer which is contained in the sk_buff, and copy it to the\nancillary message space. An additional LSM hook,\nselinux_socket_getpeersec_udp, is defined to retrieve the security\ncontext from the SELinux space. The existing function,\nselinux_socket_getpeersec does not suit our purpose, because the\nsecurity context is copied directly to user space, rather than to\nkernel space.\n\nTesting:\n\nWe have tested the patch by setting up TCP and UDP connections between\napplications on two machines using the IPSec policies that result in\nlabeled security associations being built. For TCP, we can then\nextract the peer security context using getsockopt on either end. For\nUDP, the receiving end can retrieve the security context using the\nauxiliary data mechanism of recvmsg.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ee2e6841b934d76cb944a3390bbea84da777d4fa", "tree": "839c2a904647d220d5188e942240b22a24403990", "parents": [ "aa0e4e4aea8d9e0a559a884336d728f0263063e0" ], "author": { "name": "Luiz Capitulino", "email": "lcapitulino@mandriva.com.br", "time": "Fri Jan 06 22:59:43 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:27 2006 -0800" }, "message": "[XFRM]: Fix sparse warning.\n\nsecurity/selinux/xfrm.c:155:10: warning: Using plain integer as NULL pointer\n\nSigned-off-by: Luiz Capitulino \u003clcapitulino@mandriva.com.br\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5f8ac64b15172c7ced7d7990eb28342092bc751b", "tree": "63046817c9a6e8db513379337f01289c045a5d63", "parents": [ "69549ddd2f894c4cead50ee2b60cc02990c389ad" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "message": "[LSM-IPSec]: Corrections to LSM-IPSec Nethooks\n\nThis patch contains two corrections to the LSM-IPsec Nethooks patches\npreviously applied. \n\n(1) free a security context on a failed insert via xfrm_user \ninterface in xfrm_add_policy. Memory leak.\n\n(2) change the authorization of the allocation of a security context\nin a xfrm_policy or xfrm_state from both relabelfrom and relabelto \nto setcontext.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d28d1e080132f28ab773291f10ad6acca4c8bba2", "tree": "4cc6abef076393bc4c9f0d4e4c9952b78c04d3ee", "parents": [ "df71837d5024e2524cd51c93621e558aa7dd9f3f" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:40 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:25 2006 -0800" }, "message": "[LSM-IPSec]: Per-packet access control.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the SELinux LSM to\ncreate, deallocate, and use security contexts for policies\n(xfrm_policy) and security associations (xfrm_state) that enable\ncontrol of a socket\u0027s ability to send and receive packets.\n\nPatch purpose:\n\nThe patch is designed to enable the SELinux LSM to implement access\ncontrol on individual packets based on the strongly authenticated\nIPSec security association. Such access controls augment the existing\nones in SELinux based on network interface and IP address. The former\nare very coarse-grained, and the latter can be spoofed. By using\nIPSec, the SELinux can control access to remote hosts based on\ncryptographic keys generated using the IPSec mechanism. This enables\naccess control on a per-machine basis or per-application if the remote\nmachine is running the same mechanism and trusted to enforce the\naccess control policy.\n\nPatch design approach:\n\nThe patch\u0027s main function is to authorize a socket\u0027s access to a IPSec\npolicy based on their security contexts. Since the communication is\nimplemented by a security association, the patch ensures that the\nsecurity association\u0027s negotiated and used have the same security\ncontext. The patch enables allocation and deallocation of such\nsecurity contexts for policies and security associations. It also\nenables copying of the security context when policies are cloned.\nLastly, the patch ensures that packets that are sent without using a\nIPSec security assocation with a security context are allowed to be\nsent in that manner.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nThe function which authorizes a socket to perform a requested\noperation (send/receive) on a IPSec policy (xfrm_policy) is\nselinux_xfrm_policy_lookup. The Netfilter and rcv_skb hooks ensure\nthat if a IPSec SA with a securit y association has not been used,\nthen the socket is allowed to send or receive the packet,\nrespectively.\n\nThe patch implements SELinux function for allocating security contexts\nwhen policies (xfrm_policy) are created via the pfkey or xfrm_user\ninterfaces via selinux_xfrm_policy_alloc. When a security association\nis built, SELinux allocates the security context designated by the\nXFRM subsystem which is based on that of the authorized policy via\nselinux_xfrm_state_alloc.\n\nWhen a xfrm_policy is cloned, the security context of that policy, if\nany, is copied to the clone via selinux_xfrm_policy_clone.\n\nWhen a xfrm_policy or xfrm_state is freed, its security context, if\nany is also freed at selinux_xfrm_policy_free or\nselinux_xfrm_state_free.\n\nTesting:\n\nThe SELinux authorization function is tested using ipsec-tools. We\ncreated policies and security associations with particular security\ncontexts and added SELinux access control policy entries to verify the\nauthorization decision. We also made sure that packets for which no\nsecurity context was supplied (which either did or did not use\nsecurity associations) were authorized using an unlabelled context.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" } ] }