GitHub/LineageOS/android_kernel_motorola_exynos9610.git
18 years ago[IPv6] address: Convert address notification to use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:35:02 +0000 (00:35 -0700)]
[IPv6] address: Convert address notification to use rtnl_notify()

Fixes a wrong use of current->pid as netlink pid.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPv4] route: Convert route notifications to use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:34:17 +0000 (00:34 -0700)]
[IPv4] route: Convert route notifications to use rtnl_notify()

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPv4] address: Convert address notification to use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:33:59 +0000 (00:33 -0700)]
[IPv4] address: Convert address notification to use rtnl_notify()

Adds support for NLM_F_ECHO allowing applications to easly
see which address have been deleted, added, or promoted.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET]: Convert DECnet notifications to use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:33:35 +0000 (00:33 -0700)]
[DECNET]: Convert DECnet notifications to use rtnl_notify()

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour notifications ot use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:33:14 +0000 (00:33 -0700)]
[NEIGH]: Convert neighbour notifications ot use rtnl_notify()

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET] fib_rules: Convert fib rule notification to use rtnl_notify()
Thomas Graf [Tue, 15 Aug 2006 07:32:48 +0000 (00:32 -0700)]
[NET] fib_rules: Convert fib rule notification to use rtnl_notify()

Adds support for NLM_F_ECHO to simplify the process of identifying
inserted rules with an auto generated priority.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[RTNETLINK]: Add rtnetlink notification interface
Thomas Graf [Tue, 15 Aug 2006 07:31:41 +0000 (00:31 -0700)]
[RTNETLINK]: Add rtnetlink notification interface

Adds rtnl_notify() to send rtnetlink notification messages and
rtnl_set_sk_err() to report notification errors as socket
errors in order to indicate the need of a resync due to loss
of events.

nlmsg_report() is added to properly document the meaning of
NLM_F_ECHO.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETLINK]: Add notification message sending interface
Thomas Graf [Tue, 15 Aug 2006 07:31:06 +0000 (00:31 -0700)]
[NETLINK]: Add notification message sending interface

Adds nlmsg_notify() implementing proper notification logic. The
message is multicasted to all listeners in the group. The
applications the requests orignates from can request a unicast
back report in which case said socket will be excluded from the
multicast to avoid duplicated notifications.

nlmsg_multicast() is extended to take allocation flags to
allow notification in atomic contexts.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts
Thomas Graf [Tue, 15 Aug 2006 07:30:25 +0000 (00:30 -0700)]
[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6] udp: Fix type in previous change.
David S. Miller [Tue, 15 Aug 2006 07:15:41 +0000 (00:15 -0700)]
[IPV6] udp: Fix type in previous change.

UDPv6 stats are UDP6_foo not UDP_foo.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[ARCNET]: SoHard PCI support
Stphane Witzmann [Tue, 15 Aug 2006 07:09:17 +0000 (00:09 -0700)]
[ARCNET]: SoHard PCI support

Add support for a SoHard PCI ARCnet card.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IRDA]: Replace hard-coded dev_self[] array sizes with ARRAY_SIZE()
Bjorn Helgaas [Tue, 15 Aug 2006 07:05:38 +0000 (00:05 -0700)]
[IRDA]: Replace hard-coded dev_self[] array sizes with ARRAY_SIZE()

Several IR drivers used "for (i = 0; i < 4; i++)" to walk their
dev_self[] table.  Better to use ARRAY_SIZE().  And fix ali-ircc so it
won't run off the end if we find too many adapters.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[SELINUX]: security/selinux/hooks.c: Make 4 functions static.
Adrian Bunk [Tue, 15 Aug 2006 07:03:53 +0000 (00:03 -0700)]
[SELINUX]: security/selinux/hooks.c: Make 4 functions static.

This patch makes four needlessly global functions static.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Make unused signal code go away so nobody copies its brokenness
Alan Cox [Tue, 15 Aug 2006 07:01:05 +0000 (00:01 -0700)]
[NETFILTER]: Make unused signal code go away so nobody copies its brokenness

This code is wrong on so many levels, please lose it so it isn't
replicated anywhere else.

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Add UDP_MIB_{SND,RCV}BUFERRORS handling.
David S. Miller [Tue, 15 Aug 2006 07:00:09 +0000 (00:00 -0700)]
[IPV6]: Add UDP_MIB_{SND,RCV}BUFERRORS handling.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: add the UdpSndbufErrors and UdpRcvbufErrors MIBs
Martin Bligh [Tue, 15 Aug 2006 06:57:10 +0000 (23:57 -0700)]
[IPV4]: add the UdpSndbufErrors and UdpRcvbufErrors MIBs

Signed-off-by: Martin Bligh <mbligh@google.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
18 years ago[DECNET]: cleanups
Adrian Bunk [Tue, 15 Aug 2006 06:55:20 +0000 (23:55 -0700)]
[DECNET]: cleanups

- make the following needlessly global functions static:
  - dn_fib.c: dn_fib_sync_down()
  - dn_fib.c: dn_fib_sync_up()
  - dn_rules.c: dn_fib_rule_action()
- remove the following unneeded prototype:
  - dn_fib.c: dn_cache_dump()

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[TG3]: Constify firmware structs
Andreas Mohr [Tue, 15 Aug 2006 06:54:30 +0000 (23:54 -0700)]
[TG3]: Constify firmware structs

Constify largish areas of firmware data in Tigon3 ethernet driver.

non-const:

lsmod:
tg3                   101404  0

objdump -x:
.rodata 000003e8
.data 00004a0c

ls -l:
-rw-r--r-- 1 root root 114404 2006-08-19 21:36 drivers/net/tg3.ko

const:

lsmod:
tg3                   101404  0

objdump -x:
.rodata 000042c8
.data 00000b4c

ls -l:
-rw-r--r-- 1 root root 114532 2006-08-19 21:06 drivers/net/tg3.ko

Signed-off-by: Andreas Mohr <andi@lisas.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6] ip6_fib.c: make code static
Adrian Bunk [Tue, 15 Aug 2006 06:49:16 +0000 (23:49 -0700)]
[IPV6] ip6_fib.c: make code static

Make the following needlessly global code static:
- fib6_walker_lock
- struct fib6_walker_list
- fib6_walk_continue()
- fib6_walk()

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET] Fix to decnet rules compare function
Steven Whitehouse [Fri, 11 Aug 2006 23:44:18 +0000 (16:44 -0700)]
[DECNET] Fix to decnet rules compare function

Here is a fix to the DECnet rules compare function where we used 32bit
values rather than 16bit values. Spotted by Patrick McHardy.

Signed-off-by: Steven Whitehouse <steve@chygwyn.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET] Fix to multiple tables routing
Steven Whitehouse [Fri, 11 Aug 2006 23:43:41 +0000 (16:43 -0700)]
[DECNET] Fix to multiple tables routing

Here is a fix to Patrick McHardy's increase number of routing tables
patch for DECnet. I did just test this and it appears to be working
fine with this patch.

Signed-off-by: Steven Whitehouse <steve@chygwyn.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET] netdev: Check name length
Stephen Hemminger [Wed, 30 Aug 2006 00:06:13 +0000 (17:06 -0700)]
[NET] netdev: Check name length

Some improvements to robust name interface.  These API's are safe
now by convention, but it is worth providing some safety checks
against future bugs.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: rbtree cleanup
Stephen Hemminger [Fri, 11 Aug 2006 06:36:01 +0000 (23:36 -0700)]
[HTB]: rbtree cleanup

Add code to initialize rb tree nodes, and check for double deletion.
This is not a real fix, but I can make it trap sometimes and may
be a bandaid for: http://bugzilla.kernel.org/show_bug.cgi?id=6681

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: Use hlist for hash lists.
Stephen Hemminger [Fri, 11 Aug 2006 06:35:38 +0000 (23:35 -0700)]
[HTB]: Use hlist for hash lists.

Use hlist instead of list for the hash list. This saves
space, and we can check for double delete better.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: Lindent
Stephen Hemminger [Fri, 11 Aug 2006 06:35:16 +0000 (23:35 -0700)]
[HTB]: Lindent

Code was a mess in terms of indentation.  Run through Lindent
script, and cleanup the damage. Also, don't use, vim magic
comment, and substitute inline for __inline__.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: HTB_HYSTERESIS cleanup
Stephen Hemminger [Fri, 11 Aug 2006 06:34:02 +0000 (23:34 -0700)]
[HTB]: HTB_HYSTERESIS cleanup

Change the conditional compilation around HTB_HYSTERSIS
since code was splitting mid expression.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: Remove lock macro.
Stephen Hemminger [Fri, 11 Aug 2006 06:33:16 +0000 (23:33 -0700)]
[HTB]: Remove lock macro.

Get rid of the macro's being used to obscure the locking.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[HTB]: Remove broken debug code.
Stephen Hemminger [Fri, 11 Aug 2006 06:31:08 +0000 (23:31 -0700)]
[HTB]: Remove broken debug code.

The HTB network scheduler had debug code that wouldn't compile
and confused and obfuscated the code, remove it.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Increate RT_TABLE_MAX to 2^32
Patrick McHardy [Fri, 11 Aug 2006 06:12:34 +0000 (23:12 -0700)]
[NET]: Increate RT_TABLE_MAX to 2^32

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET]: Increase number of possible routing tables to 2^32
Patrick McHardy [Fri, 11 Aug 2006 06:11:47 +0000 (23:11 -0700)]
[DECNET]: Increase number of possible routing tables to 2^32

Increase the number of possible routing tables to 2^32 by replacing the
fixed sized array of pointers by a hash table and replacing iterations
over all possible table IDs by hash table walking.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Increase number of possible routing tables to 2^32
Patrick McHardy [Fri, 11 Aug 2006 06:11:17 +0000 (23:11 -0700)]
[IPV6]: Increase number of possible routing tables to 2^32

Increase number of possible routing tables to 2^32 by replacing iterations
over all possible table IDs by hash table walking.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Increase number of possible routing tables to 2^32
Patrick McHardy [Fri, 11 Aug 2006 06:10:46 +0000 (23:10 -0700)]
[IPV4]: Increase number of possible routing tables to 2^32

Increase the number of possible routing tables to 2^32 by replacing the
fixed sized array of pointers by a hash table and replacing iterations
over all possible table IDs by hash table walking.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Introduce RTA_TABLE/FRA_TABLE attributes
Patrick McHardy [Fri, 11 Aug 2006 06:09:48 +0000 (23:09 -0700)]
[NET]: Introduce RTA_TABLE/FRA_TABLE attributes

Introduce RTA_TABLE route attribute and FRA_TABLE routing rule attribute
to hold 32 bit routing table IDs. Usespace compatibility is provided by
continuing to accept and send the rtm_table field, but because of its
limited size it can only carry the low 8 bits of the table ID. This
implies that if larger IDs are used, _all_ userspace programs using them
need to use RTA_TABLE.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Use u32 for routing table IDs
Patrick McHardy [Fri, 11 Aug 2006 06:08:33 +0000 (23:08 -0700)]
[NET]: Use u32 for routing table IDs

Use u32 for routing table IDs in net/ipv4 and net/decnet in preparation of
support for a larger number of routing tables. net/ipv6 already uses u32
everywhere and needs no further changes. No functional changes are made by
this patch.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGHBOUR]: Use ALIGN() macro.
Stephen Hemminger [Fri, 11 Aug 2006 06:03:23 +0000 (23:03 -0700)]
[NEIGHBOUR]: Use ALIGN() macro.

Rather than opencoding the mask, it looks better to use ALIGN()
macro from kernel.h.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Kill double initialization in sock_alloc_inode.
David S. Miller [Thu, 10 Aug 2006 07:22:41 +0000 (00:22 -0700)]
[NET]: Kill double initialization in sock_alloc_inode.

No need to set ei->socket.flags to zero twice.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Remove unnecessary config.h includes from net/
Dave Jones [Fri, 22 Sep 2006 21:00:29 +0000 (14:00 -0700)]
[NET]: Remove unnecessary config.h includes from net/

config.h is automatically included by kbuild these days.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: sock_register interface changes
Stephen Hemminger [Thu, 10 Aug 2006 04:03:17 +0000 (21:03 -0700)]
[NET]: sock_register interface changes

The sock_register() doesn't change the family, so the protocols can
define it read-only.  No caller ever checks return value from
sock_unregister()

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: socket family using RCU
Stephen Hemminger [Fri, 1 Sep 2006 07:23:39 +0000 (00:23 -0700)]
[NET]: socket family using RCU

Replace the gross custom locking done in socket code for net_family[]
with simple RCU usage. Some reordering necessary to avoid sleep issues
with sock_alloc.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: drop unused elements from net_proto_family
Stephen Hemminger [Thu, 10 Aug 2006 03:50:00 +0000 (20:50 -0700)]
[NET]: drop unused elements from net_proto_family

Three values in net_proto_family are defined but never used.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET] socket: code style cleanup
Stephen Hemminger [Fri, 1 Sep 2006 07:19:31 +0000 (00:19 -0700)]
[NET] socket: code style cleanup

Make socket.c conform to current style:
* run through Lindent
* get rid of unneeded casts
* split assignment and comparsion where possible

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[SUNRPC]: Remove the unnecessary check for highmem in xs_sendpages().
Sridhar Samudrala [Thu, 10 Aug 2006 00:03:17 +0000 (17:03 -0700)]
[SUNRPC]: Remove the unnecessary check for highmem in xs_sendpages().

Just call kernel_sendpage() directly.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET]: Convert rwlock to spinlock
Steven Whitehouse [Wed, 9 Aug 2006 23:00:57 +0000 (16:00 -0700)]
[DECNET]: Convert rwlock to spinlock

As per Stephen Hemminger's recent patch to ipv4/fib_semantics.c this
is the same change but for DECnet.

Signed-off-by: Steven Whitehouse <steve@chygwyn.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[DECNET]: Covert rules to use generic code
Steven Whitehouse [Wed, 9 Aug 2006 22:56:46 +0000 (15:56 -0700)]
[DECNET]: Covert rules to use generic code

This patch converts the DECnet rules code to use the generic
rules system created by Thomas Graf <tgraf@suug.ch>.

Signed-off-by: Steven Whitehouse <steve@chygwyn.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Use network-order dport for all visible inet_lookup_*
Herbert Xu [Wed, 9 Aug 2006 22:47:12 +0000 (15:47 -0700)]
[IPV4]: Use network-order dport for all visible inet_lookup_*

Right now most inet_lookup_* functions take a host-order hnum instead
of a network-order dport because that's how it is represented
internally.

This means that users of these functions have to be careful about
using the right byte-order.  To add more confusion, inet_lookup takes
a network-order dport unlike all other functions.

So this patch changes all visible inet_lookup functions to take a
dport and move all dport->hnum conversion inside them.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4] fib: convert reader/writer to spinlock
Stephen Hemminger [Tue, 29 Aug 2006 23:48:09 +0000 (16:48 -0700)]
[IPV4] fib: convert reader/writer to spinlock

Ther is no point in using a more expensive reader/writer lock
for a low contention lock like the fib_info_lock. The only
reader case is in handling route redirects.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Make sure fib6_rule_lookup doesn't return NULL
Ville Nuorvala [Tue, 8 Aug 2006 23:44:17 +0000 (16:44 -0700)]
[IPV6]: Make sure fib6_rule_lookup doesn't return NULL

The callers of fib6_rule_lookup don't expect it to return NULL,
therefore it must return ip6_null_entry whenever fib_rule_lookup fails.

Signed-off-by: Ville Nuorvala <vnuorval@tcs.hut.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Uninline inet_lookup_listener
Herbert Xu [Tue, 8 Aug 2006 09:18:10 +0000 (02:18 -0700)]
[IPV4]: Uninline inet_lookup_listener

By modern standards this function is way too big to be inlined.  It's
even bigger than __inet_lookup_listener :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[INET]: Remove is_setbyuser patch
Louis Nyffenegger [Tue, 8 Aug 2006 07:56:11 +0000 (00:56 -0700)]
[INET]: Remove is_setbyuser patch

The value is_setbyuser from struct ip_options is never used and set
only one time (http://linux-net.osdl.org/index.php/TODO#IPV4).
This little patch removes it from the kernel source.

Signed-off-by: Louis Nyffenegger <louis.nyffenegger@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Kill fib4_rules_clean().
David S. Miller [Tue, 8 Aug 2006 04:56:52 +0000 (21:56 -0700)]
[IPV4]: Kill fib4_rules_clean().

As noted by Adrian Bunk this function is totally unused.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Protect RTM_GETRULE table entry with IPV6_MULTIPLE_TABLES ifdef
David S. Miller [Tue, 8 Aug 2006 04:54:37 +0000 (21:54 -0700)]
[IPV6]: Protect RTM_GETRULE table entry with IPV6_MULTIPLE_TABLES ifdef

This is how IPv4 handles this case too.

Based upon a patch from Andrew Morton.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Make code static.
Adrian Bunk [Tue, 8 Aug 2006 04:50:48 +0000 (21:50 -0700)]
[NET]: Make code static.

This patch makes needlessly global code static.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[SUNRPC]: Update to use in-kernel sockets API.
Sridhar Samudrala [Tue, 8 Aug 2006 03:58:01 +0000 (20:58 -0700)]
[SUNRPC]: Update to use in-kernel sockets API.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Round out in-kernel sockets API
Sridhar Samudrala [Tue, 8 Aug 2006 03:57:31 +0000 (20:57 -0700)]
[NET]: Round out in-kernel sockets API

This patch implements wrapper functions that provide a convenient way
to access the sockets API for in-kernel users like sunrpc, cifs &
ocfs2 etc and any future users.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Move netlink neighbour table bits to linux/neighbour.h
Thomas Graf [Tue, 8 Aug 2006 01:00:57 +0000 (18:00 -0700)]
[NEIGH]: Move netlink neighbour table bits to linux/neighbour.h

rtnetlink_rcv_msg() is not longer required to parse attributes
for the neighbour tables layer, remove dependency on obsolete and
buggy rta_buf.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour table dumping to new netlink api
Thomas Graf [Tue, 8 Aug 2006 01:00:18 +0000 (18:00 -0700)]
[NEIGH]: Convert neighbour table dumping to new netlink api

Also fixes skipping of already dumped neighbours.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour table modification to new netlink api
Thomas Graf [Tue, 8 Aug 2006 00:58:53 +0000 (17:58 -0700)]
[NEIGH]: Convert neighbour table modification to new netlink api

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Move netlink neighbour bits to linux/neighbour.h
Thomas Graf [Tue, 8 Aug 2006 00:57:44 +0000 (17:57 -0700)]
[NEIGH]: Move netlink neighbour bits to linux/neighbour.h

Moves netlink neighbour bits to linux/neighbour.h. Also
moves bits to be exported to userspace from net/neighbour.h
to linux/neighbour.h and removes __KERNEL__ guards, userspace
is not supposed to be using it.

rtnetlink_rcv_msg() is not longer required to parse attributes
for the neighbour layer, remove dependency on obsolete and
buggy rta_buf.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour dumping to new netlink api
Thomas Graf [Tue, 8 Aug 2006 00:56:37 +0000 (17:56 -0700)]
[NEIGH]: Convert neighbour dumping to new netlink api

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour addition to new netlink api
Thomas Graf [Tue, 8 Aug 2006 00:55:40 +0000 (17:55 -0700)]
[NEIGH]: Convert neighbour addition to new netlink api

Fixes:
    Return EAFNOSUPPORT if no table matches the specified
    address family.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NEIGH]: Convert neighbour deletion to new netlink api
Thomas Graf [Tue, 8 Aug 2006 00:53:08 +0000 (17:53 -0700)]
[NEIGH]: Convert neighbour deletion to new netlink api

Fixes:
  Return ENOENT if the neighbour is not found (was EINVAL)
  Return EAFNOSUPPORT if no table matches the specified
  address family.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Fix policy routing lookup
Patrick McHardy [Mon, 7 Aug 2006 05:24:08 +0000 (22:24 -0700)]
[IPV6]: Fix policy routing lookup

When the lookup in a table returns ip6_null_entry the policy routing lookup
returns it instead of continuing in the next table, which effectively means
it only searches the local table.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Fix crash in ip6_del_rt
Patrick McHardy [Mon, 7 Aug 2006 05:22:47 +0000 (22:22 -0700)]
[IPV6]: Fix crash in ip6_del_rt

ip6_null_entry doesn't have rt6i_table set, when trying to delete it the
kernel crashes dereferencing table->tb6_lock.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Fix thinko in rt6_fill_node
Patrick McHardy [Sat, 5 Aug 2006 09:20:42 +0000 (02:20 -0700)]
[IPV6]: Fix thinko in rt6_fill_node

This looks like a mistake, the table ID is overwritten again.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_queue: handle GSO packets
Patrick McHardy [Sat, 5 Aug 2006 07:58:52 +0000 (00:58 -0700)]
[NETFILTER]: nf_queue: handle GSO packets

Handle GSO packets in nf_queue by segmenting them before queueing to
avoid breaking GSO in case they get mangled.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Get rid of HW checksum invalidation
Patrick McHardy [Sat, 5 Aug 2006 07:58:33 +0000 (00:58 -0700)]
[NETFILTER]: Get rid of HW checksum invalidation

Update hardware checksums incrementally to avoid breaking GSO.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE
Patrick McHardy [Tue, 29 Aug 2006 23:44:56 +0000 (16:44 -0700)]
[NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE

Replace CHECKSUM_HW by CHECKSUM_PARTIAL (for outgoing packets, whose
checksum still needs to be completed) and CHECKSUM_COMPLETE (for
incoming packets, device supplied full checksum).

Patch originally from Herbert Xu, updated by myself for 2.6.18-rc3.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: netbios conntrack: fix compile
Patrick McHardy [Sat, 5 Aug 2006 07:56:16 +0000 (00:56 -0700)]
[NETFILTER]: netbios conntrack: fix compile

Fix compile breakage caused by move of IFA_F_SECONDARY to new header
file.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Move netlink interface bits to linux/if.h
Thomas Graf [Sat, 5 Aug 2006 06:05:56 +0000 (23:05 -0700)]
[NET]: Move netlink interface bits to linux/if.h

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Convert link dumping to new netlink api
Thomas Graf [Sat, 5 Aug 2006 06:05:34 +0000 (23:05 -0700)]
[NET]: Convert link dumping to new netlink api

Transforms netlink code to dump link tables to use the new
netlink api. Makes rtnl_getlink() available regardless of the
availability of the wireless extensions.

Adding copy_rtnl_link_stats() avoids the structural dependency
of struct rtnl_link_stats on struct net_device_stats and thus
avoids troubles later on.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Convert link modification to new netlink api
Thomas Graf [Fri, 11 Aug 2006 04:17:37 +0000 (21:17 -0700)]
[NET]: Convert link modification to new netlink api

Transforms do_setlink() into rtnl_setlink() using the new
netlink api. A warning message printed to the console is
added in the event that a change request fails while part
of the change request has been comitted already. The ioctl()
based nature of net devices makes it almost impossible to
move on to atomic netlink operations without obsoleting
some of the functionality.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPv4]: Move interface address bits to linux/if_addr.h
Thomas Graf [Sat, 5 Aug 2006 06:04:54 +0000 (23:04 -0700)]
[IPv4]: Move interface address bits to linux/if_addr.h

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Convert address dumping to new netlink api
Thomas Graf [Sat, 5 Aug 2006 06:04:36 +0000 (23:04 -0700)]
[IPV4]: Convert address dumping to new netlink api

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Convert address deletion to new netlink api
Thomas Graf [Sat, 5 Aug 2006 06:04:17 +0000 (23:04 -0700)]
[IPV4]: Convert address deletion to new netlink api

Fixes various unvalidated netlink attributes causing
memory corruptions when left empty by userspace.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Convert address addition to new netlink api
Thomas Graf [Sat, 5 Aug 2006 06:03:53 +0000 (23:03 -0700)]
[IPV4]: Convert address addition to new netlink api

Adds rtm_to_ifaddr() transforming a netlink message to a
struct in_ifaddr. Fixes various unvalidated netlink attributes
causing memory corruptions when left empty by userspace
applications.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETLINK]: Convert core netlink handling to new netlink api
Thomas Graf [Sat, 5 Aug 2006 06:03:29 +0000 (23:03 -0700)]
[NETLINK]: Convert core netlink handling to new netlink api

Fixes a theoretical memory and locking leak when the size of
the netlink header would exceed the skb tailroom.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETLINK]: Extend netlink messaging interface
Thomas Graf [Sat, 5 Aug 2006 06:03:05 +0000 (23:03 -0700)]
[NETLINK]: Extend netlink messaging interface

Adds:
 nlmsg_get_pos()                 return current position in message
 nlmsg_trim()                    trim part of message
 nla_reserve_nohdr(skb, len)     reserve room for an attribute w/o hdr
 nla_put_nohdr(skb, len, data)   add attribute w/o hdr
 nla_find_nested()               find attribute in nested attributes

Fixes nlmsg_new() to take allocation flags and consider size.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV4]: Use Protocol Independant Policy Routing Rules Framework
Thomas Graf [Fri, 4 Aug 2006 10:39:22 +0000 (03:39 -0700)]
[IPV4]: Use Protocol Independant Policy Routing Rules Framework

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Policy Routing Rules
Thomas Graf [Fri, 4 Aug 2006 10:39:02 +0000 (03:39 -0700)]
[IPV6]: Policy Routing Rules

Adds support for policy routing rules including a new
local table for routes with a local destination.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Protocol Independant Policy Routing Rules Framework
Thomas Graf [Fri, 4 Aug 2006 10:38:38 +0000 (03:38 -0700)]
[NET]: Protocol Independant Policy Routing Rules Framework

Derived from net/ipv/fib_rules.c

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Multiple Routing Tables
Thomas Graf [Sat, 5 Aug 2006 06:20:06 +0000 (23:20 -0700)]
[IPV6]: Multiple Routing Tables

Adds the framework to support multiple IPv6 routing tables.
Currently all automatically generated routes are put into the
same table. This could be changed at a later point after
considering the produced locking overhead.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPV6]: Remove ndiscs rt6_lock dependency
Thomas Graf [Fri, 4 Aug 2006 10:37:36 +0000 (03:37 -0700)]
[IPV6]: Remove ndiscs rt6_lock dependency

(Ab)using rt6_lock wouldn't work anymore if rt6_lock is
converted into a per table lock.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: tie NetLabel into the Kconfig system
Paul Moore [Thu, 3 Aug 2006 23:50:39 +0000 (16:50 -0700)]
[NetLabel]: tie NetLabel into the Kconfig system

Modify the net/Kconfig file to enable selecting the NetLabel Kconfig
options.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: SELinux support
Venkat Yekkirala [Sat, 5 Aug 2006 06:17:57 +0000 (23:17 -0700)]
[NetLabel]: SELinux support

Add NetLabel support to the SELinux LSM and modify the
socket_post_create() LSM hook to return an error code.  The most
significant part of this patch is the addition of NetLabel hooks into
the following SELinux LSM hooks:

 * selinux_file_permission()
 * selinux_socket_sendmsg()
 * selinux_socket_post_create()
 * selinux_socket_sock_rcv_skb()
 * selinux_socket_getpeersec_stream()
 * selinux_socket_getpeersec_dgram()
 * selinux_sock_graft()
 * selinux_inet_conn_request()

The basic reasoning behind this patch is that outgoing packets are
"NetLabel'd" by labeling their socket and the NetLabel security
attributes are checked via the additional hook in
selinux_socket_sock_rcv_skb().  NetLabel itself is only a labeling
mechanism, similar to filesystem extended attributes, it is up to the
SELinux enforcement mechanism to perform the actual access checks.

In addition to the changes outlined above this patch also includes
some changes to the extended bitmap (ebitmap) and multi-level security
(mls) code to import and export SELinux TE/MLS attributes into and out
of NetLabel.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: CIPSOv4 and Unlabeled packet integration
Paul Moore [Thu, 3 Aug 2006 23:48:59 +0000 (16:48 -0700)]
[NetLabel]: CIPSOv4 and Unlabeled packet integration

Add CIPSO/IPv4 and unlabeled packet management to the NetLabel
subsystem.  The CIPSO/IPv4 changes allow the configuration of
CIPSO/IPv4 within the overall NetLabel framework.  The unlabeled
packet changes allows NetLabel to pass unlabeled packets without
error.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: core NetLabel subsystem
Paul Moore [Thu, 3 Aug 2006 23:48:37 +0000 (16:48 -0700)]
[NetLabel]: core NetLabel subsystem

Add a new kernel subsystem, NetLabel, to provide explicit packet
labeling services (CIPSO, RIPSO, etc.) to LSM developers.  NetLabel is
designed to work in conjunction with a LSM to intercept and decode
security labels on incoming network packets as well as ensure that
outgoing network packets are labeled according to the security
mechanism employed by the LSM.  The NetLabel subsystem is configured
through a Generic NETLINK interface described in the header files
included in this patch.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: CIPSOv4 engine
Paul Moore [Thu, 3 Aug 2006 23:48:06 +0000 (16:48 -0700)]
[NetLabel]: CIPSOv4 engine

Add support for the Commercial IP Security Option (CIPSO) to the IPv4
network stack.  CIPSO has become a de-facto standard for
trusted/labeled networking amongst existing Trusted Operating Systems
such as Trusted Solaris, HP-UX CMW, etc.  This implementation is
designed to be used with the NetLabel subsystem to provide explicit
packet labeling to LSM developers.

The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API
function which attaches a CIPSO label (IPv4 option) to a given socket;
this in turn attaches the CIPSO label to every packet leaving the
socket without any extra processing on the outbound side.  On the
inbound side the individual packet's sk_buff is examined through a
call to a NetLabel API function to determine if a CIPSO/IPv4 label is
present and if so the security attributes of the CIPSO label are
returned to the caller of the NetLabel API function.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: core network changes
Paul Moore [Thu, 3 Aug 2006 23:46:20 +0000 (16:46 -0700)]
[NetLabel]: core network changes

Changes to the core network stack to support the NetLabel subsystem.  This
includes changes to the IPv4 option handling to support CIPSO labels.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NetLabel]: documentation
Paul Moore [Thu, 3 Aug 2006 23:45:49 +0000 (16:45 -0700)]
[NetLabel]: documentation

Documentation for the NetLabel system, this includes a basic overview
of how NetLabel works, how LSM developers can integrate it into their
favorite LSM, as well as documentation on the CIPSO related sysctl
variables.  Also, due to the difficulty of finding expired IETF
drafts, I am including the IETF CIPSO draft that is the basis of the
NetLabel CIPSO implementation.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.
Venkat Yekkirala [Fri, 28 Jul 2006 05:01:34 +0000 (22:01 -0700)]
[MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.

The following patch will fix the build problem (encountered by Andrew
Morton) when SECURITY_NETWORK_XFRM is not enabled.

As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in
-mm, this patch sets the return parameter sid to SECSID_NULL in
selinux_xfrm_decode_session() and handles this value in the caller
selinux_inet_conn_request() appropriately.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Auto-labeling of child sockets
Venkat Yekkirala [Tue, 25 Jul 2006 06:32:50 +0000 (23:32 -0700)]
[MLSXFRM]: Auto-labeling of child sockets

This automatically labels the TCP, Unix stream, and dccp child sockets
as well as openreqs to be at the same MLS level as the peer. This will
result in the selection of appropriately labeled IPSec Security
Associations.

This also uses the sock's sid (as opposed to the isec sid) in SELinux
enforcement of secmark in rcv_skb and postroute_last hooks.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Default labeling of socket specific IPSec policies
Venkat Yekkirala [Tue, 25 Jul 2006 06:32:20 +0000 (23:32 -0700)]
[MLSXFRM]: Default labeling of socket specific IPSec policies

This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Add flow labeling
Venkat Yekkirala [Sat, 5 Aug 2006 06:12:42 +0000 (23:12 -0700)]
[MLSXFRM]: Add flow labeling

This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.

The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.

ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Add security context to acquire messages using PF_KEY
Venkat Yekkirala [Tue, 25 Jul 2006 06:31:14 +0000 (23:31 -0700)]
[MLSXFRM]: Add security context to acquire messages using PF_KEY

This includes the security context of a security association created
for use by IKE in the acquire messages sent to IKE daemons using
PF_KEY. This would allow the daemons to include the security context
in the negotiation, so that the resultant association is unique to
that security context.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Add security context to acquire messages using netlink
Serge Hallyn [Tue, 25 Jul 2006 06:30:44 +0000 (23:30 -0700)]
[MLSXFRM]: Add security context to acquire messages using netlink

This includes the security context of a security association created
for use by IKE in the acquire messages sent to IKE daemons using
netlink/xfrm_user. This would allow the daemons to include the
security context in the negotiation, so that the resultant association
is unique to that security context.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Flow based matching of xfrm policy and state
Venkat Yekkirala [Tue, 25 Jul 2006 06:29:07 +0000 (23:29 -0700)]
[MLSXFRM]: Flow based matching of xfrm policy and state

This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Add security sid to flowi
Venkat Yekkirala [Tue, 25 Jul 2006 06:28:37 +0000 (23:28 -0700)]
[MLSXFRM]: Add security sid to flowi

This adds security to flow key for labeling of flows as also to allow
for making flow cache lookups based on the security label seemless.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Add security sid to sock
Venkat Yekkirala [Sat, 5 Aug 2006 06:08:56 +0000 (23:08 -0700)]
[MLSXFRM]: Add security sid to sock

This adds security for IP sockets at the sock level. Security at the
sock level is needed to enforce the SELinux security policy for
security associations even when a sock is orphaned (such as in the TCP
LAST_ACK state).

This will also be used to enforce SELinux controls over data arriving
at or leaving a child socket while it's still waiting to be accepted.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Define new SELinux service routine
Venkat Yekkirala [Tue, 25 Jul 2006 06:27:16 +0000 (23:27 -0700)]
[MLSXFRM]: Define new SELinux service routine

This defines a routine that combines the Type Enforcement portion of
one sid with the MLS portion from the other sid to arrive at a new
sid. This would be used to define a sid for a security association
that is to be negotiated by IKE as well as for determing the sid for
open requests and connection-oriented child sockets.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[MLSXFRM]: Granular IPSec associations for use in MLS environments
Venkat Yekkirala [Tue, 25 Jul 2006 06:26:30 +0000 (23:26 -0700)]
[MLSXFRM]: Granular IPSec associations for use in MLS environments

The current approach to labeling Security Associations for SELinux
purposes uses a one-to-one mapping between xfrm policy rules and
security associations.

This doesn't address the needs of real world MLS (Multi-level System,
traditional Bell-LaPadula) environments where a single xfrm policy
rule (pertaining to a range, classified to secret for example) might
need to map to multiple Security Associations (one each for
classified, secret, top secret and all the compartments applicable to
these security levels).

This patch set addresses the above problem by allowing for the mapping
of a single xfrm policy rule to multiple security associations, with
each association used in the security context it is defined for. It
also includes the security context to be used in IKE negotiation in
the acquire messages sent to the IKE daemon so that a unique SA can be
negotiated for each unique security context. A couple of bug fixes are
also included; checks to make sure the SAs used by a packet match
policy (security context-wise) on the inbound and also that the bundle
used for the outbound matches the security context of the flow. This
patch set also makes the use of the SELinux sid in flow cache lookups
seemless by including the sid in the flow key itself. Also, open
requests as well as connection-oriented child sockets are labeled
automatically to be at the same level as the peer to allow for use of
appropriately labeled IPSec associations.

Description of changes:

A "sid" member has been added to the flow cache key resulting in the
sid being available at all needed locations and the flow cache lookups
automatically using the sid. The flow sid is derived from the socket
on the outbound and the SAs (unlabeled where an SA was not used) on
the inbound.

Outbound case:
1. Find policy for the socket.

2. OLD: Find an SA that matches the policy.
 NEW: Find an SA that matches BOTH the policy and the flow/socket.
   This is necessary since not every SA that matches the policy
   can be used for the flow/socket. Consider policy range Secret-TS,
   and SAs each for Secret and TS. We don't want a TS socket to
   use the Secret SA. Hence the additional check for the SA Vs. flow/socket.

3. NEW: When looking thru bundles for a policy, make sure the
        flow/socket can use the bundle. If a bundle is not found,
        create one, calling for IKE if necessary. If using IKE,
        include the security context in the acquire message to the IKE
        daemon.

Inbound case:
1. OLD: Find policy for the socket.
 NEW: Find policy for the incoming packet based on the sid of the
      SA(s) it used or the unlabeled sid if no SAs were
      used. (Consider a case where a socket is "authorized" for two
      policies (unclassified-confidential, secret-top_secret). If the
      packet has come in using a secret SA, we really ought to be
      using the latter policy (secret-top_secret).)

2. OLD: BUG: No check to see if the SAs used by the packet agree with
             the policy sec_ctx-wise.

             (It was indicated in selinux_xfrm_sock_rcv_skb() that
              this was being accomplished by
              (x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok,
      but it turns out tmpl->id.spi
              would normally be zero (unless xfrm policy rules specify one
              at the template level, which they usually don't).
 NEW: The socket is checked for access to the SAs used (based on the
      sid of the SAs) in selinux_xfrm_sock_rcv_skb().

Forward case:
 This would be Step 1 from the Inbound case, followed by Steps 2 and 3
from the Outbound case.

Outstanding items/issues:

- Timewait acknowledgements and such are generated in the
  current/upstream implementation using a NULL socket resulting in the
  any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed
  by this patch set.

This patch: Add new flask definitions to SELinux

Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm
policy rule.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>