summaryrefslogtreecommitdiffstats
path: root/net/netlabel (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Audit: collect sessionid in netlink messagesEric Paris2008-04-283-1/+5
| | | | | | | | | | Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* [NETLABEL]: Fix NULL deref in netlbl_unlabel_staticlist_gen() if ifindex not ↵Jesper Juhl2008-04-181-0/+4
| | | | | | | | | | | | | | | | | found dev_get_by_index() may return NULL if nothing is found. In net/netlabel/netlabel_unlabeled.c::netlbl_unlabel_staticlist_gen() the function is called, but the return value is never checked. If it returns NULL then we'll deref a NULL pointer on the very next line. I checked the callers, and I don't think this can actually happen today, but code changes over time and in the future it might happen and it does no harm to be defensive and check for the failure, so that if/when it happens we'll fail gracefully instead of crashing. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS.YOSHIFUJI Hideaki2008-03-251-1/+1
| | | | | | | | Introduce per-net_device inlines: dev_net(), dev_net_set(). Without CONFIG_NET_NS, no namespace other than &init_net exists. Let's explicitly define them to help compiler optimizations. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* [NETLABEL]: Move some initialization code into __init section.Pavel Emelyanov2008-02-185-7/+7
| | | | | | | | | Everything that is called from netlbl_init() can be marked with __init. This moves 620 bytes from .text section to .text.init one. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABEL]: Shrink the genl-ops registration code.Pavel Emelyanov2008-02-183-144/+64
| | | | | | | | | Turning them to array and registration in a loop saves 80 lines of code and ~300 bytes from text section. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABLE]: Hide netlbl_unlabel_audit_addr6 under ifdef CONFIG_IPV6.Pavel Emelyanov2008-02-131-0/+2
| | | | | | | | This one is called from under this config only, so move it in the same place. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABEL]: Don't produce unused variables when IPv6 is off.Pavel Emelyanov2008-02-131-10/+18
| | | | | | | | | | | | | Some code declares variables on the stack, but uses them under #ifdef CONFIG_IPV6, so thay become unused when ipv6 is off. Fortunately, they are used in a switch's case branches, so the fix is rather simple. Is it OK from coding style POV to add braces inside "cases", or should I better avoid such style and rework the patch? Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABEL]: Compilation for CONFIG_AUDIT=n case.Pavel Emelyanov2008-02-131-2/+1
| | | | | | | | | | | | The audit_log_start() will expand into an empty do { } while (0) construction and the audit_ctx becomes unused. The solution: push current->audit_context into audit_log_start() directly, since it is not required in any other place in the calling function. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABEL]: Fix lookup logic of netlbl_domhsh_search_def.Pavel Emelyanov2008-02-131-3/+3
| | | | | | | | | | | Currently, if the call to netlbl_domhsh_search succeeds the return result will still be NULL. Fix that, by returning the found entry (if any). Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* NetLabel: introduce a new kernel configuration API for NetLabelPaul Moore2008-02-054-1/+182
| | | | | | | | | | | | | | | Add a new set of configuration functions to the NetLabel/LSM API so that LSMs can perform their own configuration of the NetLabel subsystem without relying on assistance from userspace. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* NetLabel: Add auditing to the static labeling mechanismPaul Moore2008-01-291-14/+193
| | | | | | | This patch adds auditing support to the NetLabel static labeling mechanism. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Introduce static network labels for unlabeled connectionsPaul Moore2008-01-293-17/+1519
| | | | | | | | | | | | | | | | | | Most trusted OSs, with the exception of Linux, have the ability to specify static security labels for unlabeled networks. This patch adds this ability to the NetLabel packet labeling framework. If the NetLabel subsystem is called to determine the security attributes of an incoming packet it first checks to see if any recognized NetLabel packet labeling protocols are in-use on the packet. If none can be found then the unlabled connection table is queried and based on the packets incoming interface and address it is matched with a security label as configured by the administrator using the netlabel_tools package. The matching security label is returned to the caller just as if the packet was explicitly labeled using a labeling protocol. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Add IP address family information to the netlbl_skbuff_getattr() ↵Paul Moore2008-01-291-0/+2
| | | | | | | | | | | | function In order to do any sort of IP header inspection of incoming packets we need to know which address family, AF_INET/AF_INET6/etc., it belongs to and since the sk_buff structure does not store this information we need to pass along the address family separate from the packet itself. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Add secid token support to the NetLabel secattr structPaul Moore2008-01-291-0/+1
| | | | | | | | | | | This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Consolidate the LSM domain mapping/hashing locksPaul Moore2008-01-291-21/+9
| | | | | | | | | | | Currently we use two separate spinlocks to protect both the hash/mapping table and the default entry. This could be considered a bit foolish because it adds complexity without offering any real performance advantage. This patch removes the dedicated default spinlock and protects the default entry with the hash/mapping table spinlock. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Cleanup the LSM domain hash functionsPaul Moore2008-01-291-13/+34
| | | | | | | | | | The NetLabel/LSM domain hash table search function used an argument to specify if the default entry should be returned if an exact match couldn't be found in the hash table. This is a bit against the kernel's style so make two separate functions to represent the separate behaviors. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: Remove unneeded RCU read locksPaul Moore2008-01-295-85/+15
| | | | | | | | | | This patch removes some unneeded RCU read locks as we can treat the reads as "safe" even without RCU. It also converts the NetLabel configuration refcount from a spinlock protected u32 into atomic_t to be more consistent with the rest of the kernel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NETLABEL]: Spelling fixesJoe Perches2007-12-201-1/+1
| | | | | Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: correct usage of RCU lockingPaul Moore2007-10-263-33/+12
| | | | | | | | | | This fixes some awkward, and perhaps even problematic, RCU lock usage in the NetLabel code as well as some other related trivial cleanups found when looking through the RCU locking. Most of the changes involve removing the redundant RCU read locks wrapping spinlocks in the case of a RCU writer. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Introduce nested and byteorder flag to netlink attributeThomas Graf2007-10-111-7/+7
| | | | | | | | | | | This change allows the generic attribute interface to be used within the netfilter subsystem where this flag was initially introduced. The byte-order flag is yet unused, it's intended use is to allow automatic byte order convertions for all atomic types. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: add missing rcu_dereference() calls in the LSM domain mapping ↵Paul Moore2007-08-081-4/+6
| | | | | | | | | | | | | | hash table The LSM domain mapping head table pointer was not being referenced via the RCU safe dereferencing function, rcu_dereference(). This patch adds those missing calls to the NetLabel code. This has been tested using recent linux-2.6 git kernels with no visible regressions. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Net/Security: fix memory leaks from security_secid_to_secctx()Paul Moore2007-08-021-1/+3
| | | | | | | | | | | The security_secid_to_secctx() function returns memory that must be freed by a call to security_release_secctx() which was not always happening. This patch fixes two of these problems (all that I could find in the kernel source at present). Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcementPaul Moore2007-07-194-0/+96
| | | | | | | | | | | | | | | | | | | | | Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the current runtime status of NetLabel based on the existing configuration. LSMs that make use of NetLabel, i.e. SELinux, can use this new function to determine if they should perform NetLabel access checks. This patch changes the NetLabel/SELinux glue code such that SELinux only enforces NetLabel related access checks when netlbl_enabled() returns true. At present NetLabel is considered to be enabled when there is at least one labeled protocol configuration present. The result is that by default NetLabel is considered to be disabled, however, as soon as an administrator configured a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing NetLabel related access controls - including unlabeled packet controls. This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL" blocks into a single block to ease future review as recommended by Linus. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* Audit: add TTY input auditingMiloslav Trmac2007-07-161-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add TTY input auditing, used to audit system administrator's actions. This is required by various security standards such as DCID 6/3 and PCI to provide non-repudiation of administrator's actions and to allow a review of past actions if the administrator seems to overstep their duties or if the system becomes misconfigured for unknown reasons. These requirements do not make it necessary to audit TTY output as well. Compared to an user-space keylogger, this approach records TTY input using the audit subsystem, correlated with other audit events, and it is completely transparent to the user-space application (e.g. the console ioctls still work). TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the "audit_tty" attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a more detailed rationale document for an older version of this patch. [akpm@linux-foundation.org: build fix] Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [NetLabel]: consolidate the struct socket/sock handling to just struct sockPaul Moore2007-06-081-34/+9
| | | | | | | | | | | | | | | The current NetLabel code has some redundant APIs which allow both "struct socket" and "struct sock" types to be used; this may have made sense at some point but it is wasteful now. Remove the functions that operate on sockets and convert the callers. Not only does this make the code smaller and more consistent but it pushes the locking burden up to the caller which can be more intelligent about the locks. Also, perform the same conversion (socket to sock) on the SELinux/NetLabel glue code where it make sense. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Mark netlink policies constPatrick McHardy2007-06-073-3/+3
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* SELinux: extract the NetLabel SELinux support from the security serverPaul Moore2007-04-261-3/+0
| | | | | | | | | | | Up until this patch the functions which have provided NetLabel support to SELinux have been integrated into the SELinux security server, which for various reasons is not really ideal. This patch makes an effort to extract as much of the NetLabel support from the security server as possibile and move it into it's own file within the SELinux directory structure. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NET]: Fix kfree(skb)Patrick McHardy2007-02-281-1/+1
| | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET] NETLABEL: Fix whitespace errors.YOSHIFUJI Hideaki2007-02-111-4/+4
| | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* NetLabel: correct CIPSO tag handling when adding new DOI definitionsPaul Moore2007-01-091-3/+3
| | | | | | | | | | | The current netlbl_cipsov4_add_common() function has two problems which are fixed with this patch. The first is an off-by-one bug where it is possibile to overflow the doi_def->tags[] array. The second is a bug where the same doi_def->tags[] array was not always fully initialized, which caused sporadic failures. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: correctly fill in unused CIPSOv4 level and category mappingsPaul Moore2006-12-221-0/+9
| | | | | | | | | | | | Back when the original NetLabel patches were being changed to use Netlink attributes correctly some code was accidentially dropped which set all of the undefined CIPSOv4 level and category mappings to a sentinel value. The result is the mappings data in the kernel contains bogus mappings which always map to zero. This patch restores the old/correct behavior by initializing the mapping data to the correct sentinel value. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: perform input validation earlier on CIPSOv4 DOI add opsPaul Moore2006-12-221-11/+17
| | | | | | | | | | | There are a couple of cases where the user input for a CIPSOv4 DOI add operation was not being done soon enough; the result was unexpected behavior which was resulting in oops/panics/lockups on some platforms. This patch moves the existing input validation code earlier in the code path to protect against bogus user input. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: convert to an extensibile/sparse category bitmapPaul Moore2006-12-031-0/+201
| | | | | | | | | | | | | | | | The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: honor the audit_enabled flagPaul Moore2006-12-034-39/+50
| | | | | | | | | | | The audit_enabled flag is used to signal when syscall auditing is to be performed. While NetLabel uses a Netlink interface instead of syscalls, it is reasonable to consider the NetLabel Netlink interface as a form of syscall so pay attention to the audit_enabled flag when generating audit messages in NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: check for a CIPSOv4 option before we do call into the CIPSOv4 layerPaul Moore2006-12-031-4/+2
| | | | | | | | | | Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if a CIPSO IP option is present. However, we can do this check directly in the NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save us a function call in the common case of not having a CIPSOv4 option present. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: make netlbl_lsm_secattr struct easier/quicker to understandPaul Moore2006-12-031-1/+4
| | | | | | | | | | | | | | | | | | | The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: convert the unlabeled accept flag to use RCUPaul Moore2006-12-031-7/+21
| | | | | | | | | | Currently the NetLabel unlabeled packet accept flag is an atomic type and it is checked for every non-NetLabel packet which comes into the system but rarely ever changed. This patch changes this flag to a normal integer and protects it with RCU locking. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [GENL]: Add genlmsg_put_reply() to simplify building reply headersThomas Graf2006-12-034-73/+17
| | | | | | | | | | By modyfing genlmsg_put() to take a genl_family and by adding genlmsg_put_reply() the process of constructing the netlink and generic netlink headers is simplified. Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [GENL]: Add genlmsg_reply() to simply unicast replies to requestsThomas Graf2006-12-033-4/+4
| | | | | | | | | A generic netlink user has no interest in knowing how to address the source of the original request. Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Do precise netlink message allocations where possibleThomas Graf2006-12-033-4/+4
| | | | | | | | | | | | | Account for the netlink message header size directly in nlmsg_new() instead of relying on the caller calculate it correctly. Replaces error handling of message construction functions when constructing notifications with bug traps since a failure implies a bug in calculating the size of the skb. Signed-off-by: Thomas Graf <tgraf@suug.ch> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLABEL]: Fix build failure.Paul Moore2006-11-061-1/+1
| | | | | | | | | | | | | | | | > the build with the attached .config failed, make ends with: > ... > : undefined reference to `cipso_v4_sock_getattr' > net/built-in.o: In function `netlbl_socket_getattr': ... It looks like I was stupid and made NetLabel depend on CONFIG_NET and not CONFIG_INET, the patch below should fix this by making NetLabel depend on CONFIG_INET and CONFIG_SECURITY. Please review and apply for 2.6.19. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* NetLabel: fix a cache race conditionpaul.moore@hp.com2006-10-121-1/+1
| | | | | | | | | | Testing revealed a problem with the NetLabel cache where a cached entry could be freed while in use by the LSM layer causing an oops and other problems. This patch fixes that problem by introducing a reference counter to the cache entry so that it is only freed when it is no longer in use. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NetLabel]: audit fixups due to delayed feedbackPaul Moore2006-09-307-140/+141
| | | | | | | | | | Fix some issues Steve Grubb had with the way NetLabel was using the audit subsystem. This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: add audit support for configuration changesPaul Moore2006-09-297-32/+218
| | | | | | | | | | | | | | | | This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define AUDIT_MAC_CIPSOV4_DEL 1409 #define AUDIT_MAC_MAP_ADD 1410 #define AUDIT_MAC_MAP_DEL 1411 Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: update docs with website informationPaul Moore2006-09-261-1/+4
| | | | | | | | Now that all of the supporting pieces of NetLabel have a home at SourceForge update the Kconfig help text and add an entry to the MAINTAINERS file. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: rework the Netlink attribute handling (part 2)Paul Moore2006-09-266-830/+895
| | | | | | | | At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes to better follow the common Netlink attribute usage. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: rework the Netlink attribute handling (part 1)Paul Moore2006-09-264-369/+43
| | | | | | | | At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes to better follow the common Netlink attribute usage. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: correct improper handling of non-NetLabel peer contextsPaul Moore2006-09-261-0/+23
| | | | | | | | | | | | Fix a problem where NetLabel would always set the value of sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of the socket, causing problems when users would query the context of the connection. This patch fixes this so that the value in sk_security_struct->peer_sid is only set when the connection is NetLabel based, otherwise the value is untouched. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: add some missing #includes to various header filesPaul Moore2006-09-232-2/+7
| | | | | | | Add some missing include files to the NetLabel related header files. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Add notification message sending interfaceThomas Graf2006-09-221-1/+1
| | | | | | | | | | | | | | Adds nlmsg_notify() implementing proper notification logic. The message is multicasted to all listeners in the group. The applications the requests orignates from can request a unicast back report in which case said socket will be excluded from the multicast to avoid duplicated notifications. nlmsg_multicast() is extended to take allocation flags to allow notification in atomic contexts. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>