On Monday, March 25, 2013 04:55:17 PM Paul Moore wrote:
> On Friday, March 15, 2013 03:18:12 PM H.J. Lu wrote:
> > On Fri, Mar 15, 2013 at 2:56 PM, H. Peter Anvin wrote:
> > > On 03/15/2013 02:15 PM, Paul Moore wrote:
> > >> On Tuesday, February 26, 2013 03:58:23 P
suggestions, provided testing
help, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo inf
On Friday, February 15, 2013 12:21:43 PM Paul Moore wrote:
> Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
> implementation by creating a syscall bitmask, equal to 0x4000, that
> could be applied to x32 syscalls such that the masked syscall number
> would be t
On Tuesday, February 26, 2013 03:58:23 PM Paul Moore wrote:
> On Friday, February 15, 2013 12:21:43 PM Paul Moore wrote:
> > Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
> > implementation by creating a syscall bitmask, equal to 0x4000, that
> > co
e comments regarding return values.
> } else
> return -EOPNOTSUPP;
>
> @@ -1367,7 +1367,8 @@ static int smack_socket_post_create(stru
> /*
>* Set the outbound netlbl.
>*/
> - return smack_netlabel(sock->sk);
> +
On Wednesday 13 February 2008 4:29:40 pm Adrian Bunk wrote:
> This patch makes the needlessly global secmark_tg_destroy() static.
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
Thanks for catching this.
Acked-by: Paul Moore &l
27;s mine, but
thankfully for both of us Pavel Emelyanov found this bug and fixed
it[1]. It hasn't hit Linus' tree yet but it's in the net-2.6 tree. If
you can't wait for it to hit Linus' tree you can always apply the fix
by hand, it's pretty minor.
Sorry about that.
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
> --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
> > > From: Casey Schaufler <[EMAIL PROTECTED]>
> > >
> > > Smack uses
On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote:
> --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote:
> > ... you shouldn't fix-up the return value from
> > netlbl_sock_setattr(). It only returns a
up some issues noted in review.
> Make smk_cipso_doi() static.
> Create a hook for the new security_secctx_to_secid()
> using existing underlying code.
> Fill in audit data for netlbl domain calls.
> Collapse unnecessary multiple assignments.
>
> Signed-off-by: Casey Schaufle
, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please
t; #include "hashtab.h"
>
> struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const
> void *key), @@ -40,6 +41,8 @@ int hashtab_insert(struct hashtab *h, void
> *key, void *datum) u32 hvalue;
> struct hashtab_node *prev, *cur, *newnode;
>
> + co
pew.
> I was planning on sitting on this until the next policy update just
> to confirm.
Okay, no problem. Let me know how it goes.
Thanks,
-Paul
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
the lblnet-next tree:
* git://git.infradead.org/users/pcmoore/lblnet-2.6_next
* http://git.infradead.org/users/pcmoore/lblnet-2.6_next
Also, a snapshot of what currently resides there:
Paul Moore (9):
selinux: fix problems in netnode when BUG() is compiled out
lsm: split the xfr
ed long))
> >
> > #define EBITMAP_UNIT_SIZE BITS_PER_LONG
> > #define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in the body of a message
(and then it hits the security tree
usually via the SELinux tree). I can't ever think of a time when I asked
Linus' to pull a tree of mine directly.
If this approach doesn't work for you, please let me know and preferably
suggest an alternative.
-Paul
--
paul moore
www.paul-m
;
> atomic_inc(&selinux_xfrm_refcount);
> *new_ctxp = new_ctx;
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
.o: In function
> `netlbl_cipsov4_add_local':
> netlabel_cipso_v4.c:(.text+0x67b9a): undefined reference to
> `cipso_v4_doi_add' netlabel_cipso_v4.c:(.text+0x67bc5): undefined reference
> to `cipso_v4_doi_free' net/built-in.o: In function
> `netlbl_cipsov4_add_std':
> netlabel_cipso_v4.c:(.text+0x68535): undefined reference to
> `cipso_v4_doi_add' netlabel_cipso_v4.c:(.text+0x68575): undefined reference
> to `cipso_v4_doi_free'
>
>
> Full randconfig file is attached.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
On Friday, November 30, 2012 10:19:16 AM Paul Moore wrote:
> On Thursday, November 29, 2012 04:05:26 PM Randy Dunlap wrote:
> > On 11/28/2012 10:40 PM, Stephen Rothwell wrote:
> > > Hi all,
> >
> > > Changes since 20121128:
> > (on i386:)
>
> If I had
644
> > --- a/security/smack/Kconfig
> > +++ b/security/smack/Kconfig
> > @@ -1,5 +1,6 @@
> >
> > config SECURITY_SMACK
> >
> > bool "Simplified Mandatory Access Control Kernel Support"
> >
> > + depends on INET
> >
>
with syscall arguments
* Documentation corrections
* Support for C++ in the header file
Finally, thank you to everyone who has submitted suggestions, provided testing
help, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this
ace when possible, but as Corey pointed out, our experiences with QEMU
have demonstrated that dealing with the problem exclusively in userspace just
isn't practical in every case.
Syslog might not be the answer, but RET_TRAP and the audit log aren't very
good answers either.
--
paul
-name and name-to-number resolver to aid application developers
* The usual collection of bugfixes, both large and small
Finally, thank you to everyone who has submitted suggestions, provided testing
help, and contributed patches to the project.
--
paul moore
security and virtualization @ redhat
On Friday, March 15, 2013 03:18:12 PM H.J. Lu wrote:
> On Fri, Mar 15, 2013 at 2:56 PM, H. Peter Anvin wrote:
> > On 03/15/2013 02:15 PM, Paul Moore wrote:
> >> On Tuesday, February 26, 2013 03:58:23 PM Paul Moore wrote:
> >>> On Friday, February 15, 201
PEERSEC_SECURITY_SMACK
> + default "selinux" if PEERSEC_SECURITY_SELINUX
> + default "(all)" if PEERSEC_SECURITY_ALL
> + default "(first)"
> + help
> + The name of the LSM to use with Netlabel
>
> config SECURITY_PATH
> bool "Security hooks for pathname based access control"
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
e *iface, entry->list.addr = addr->s_addr & mask->s_addr;
> entry->list.mask = mask->s_addr;
> entry->list.valid = 1;
> - lsm_init_secid(&entry->secid, secid, 0);
> + lsm_init_secid(&entry->secid, secid, lsm_netlbl_order());
See my above c
On Wednesday, July 31, 2013 08:45:52 AM Casey Schaufler wrote:
> On 7/30/2013 2:47 PM, Paul Moore wrote:
> > On Thursday, July 25, 2013 11:32:23 AM Casey Schaufler wrote:
> >> Subject: [PATCH v14 5/6] LSM: SO_PEERSEC configuration options
> >>
> >> Refine
On Wednesday, July 31, 2013 09:22:23 AM Casey Schaufler wrote:
> On 7/30/2013 3:08 PM, Paul Moore wrote:
> > On Thursday, July 25, 2013 11:32:11 AM Casey Schaufler wrote:
> >> Subject: [PATCH v14 3/6] LSM: Explicit individual LSM associations
> >>
> >> Expand
On Wednesday, July 31, 2013 02:21:54 PM Casey Schaufler wrote:
> On 7/31/2013 12:39 PM, Paul Moore wrote:
> > On Wednesday, July 31, 2013 09:22:23 AM Casey Schaufler wrote:
> >> On 7/30/2013 3:08 PM, Paul Moore wrote:
> >>> On Thursday, July 25, 2013 11:
On Thursday, August 01, 2013 11:52:14 AM Casey Schaufler wrote:
> On 8/1/2013 11:35 AM, Paul Moore wrote:
> > Okay, so if I understand everything correctly, there are no new entries in
> > /proc relating specifically to NetLabel, XFRM, or Secmark; although there
> > are new
On Thursday, August 01, 2013 03:15:00 PM Casey Schaufler wrote:
> On 8/1/2013 2:30 PM, Paul Moore wrote:
> > On Thursday, August 01, 2013 11:52:14 AM Casey Schaufler wrote:
> >> On 8/1/2013 11:35 AM, Paul Moore wrote:
> >>> Okay, so if I understand everything corre
On Friday, August 02, 2013 03:14:34 PM Cong Wang wrote:
> From: Cong Wang
>
> selinux has some similar definition like union inet_addr,
> it can re-use the generic union inet_addr too.
>
> Cc: James Morris
> Cc: Stephen Smalley
> Cc: Eric Paris
> Cc: Pau
ell. You either need to respin
this patch to include all of the LSMs (Smack should be the only other affected
LSM) or add a new patch to the patchset.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body
Eric and I yesterday and the trees got a bit out of
sync. All the lblnet-next patches have now been included in the SELinux tree
so I've "pruned" them from the lblnet-next tree.
Thanks for your understanding,
-Paul
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list
7 => 174:2, 174:27 +
FYI: A fix for this was (re)sent to the SELinux list on April 4th.
* http://marc.info/?l=selinux&m=136508710131898&w=2
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a me
k_getsecid LSM hook
> + * @p - The task
> + * @secid - Where to put the secid
> + *
> + */
> +static inline void netlbl_task_getsecid(struct task_struct *p, u32 *secid)
> +{
> + if (netlbl_active_lsm)
> + netlbl_active_lsm->task_getsecid(p, secid);
&
t work? Is it first-come-first-served based on the 'security='
setting?
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
On Wednesday, April 24, 2013 12:09:50 PM Casey Schaufler wrote:
> On 4/24/2013 11:51 AM, Paul Moore wrote:
> > On Tuesday, April 23, 2013 09:04:31 AM Casey Schaufler wrote:
> >> Subject: [PATCH v13 5/9] LSM: Networking component isolation
> >>
> >> The N
On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
> On 4/24/2013 11:57 AM, Paul Moore wrote:
> > I know we had a good discussion about this a while back and I just wanted
> > to hear from you about this current patchset; how does the labeled
> > networking LSM as
On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
> On 4/24/2013 4:00 PM, John Johansen wrote:
> > On 04/24/2013 02:15 PM, Paul Moore wrote:
> >> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
...
> >>> An interesting aside that may
On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
> On 4/25/2013 8:01 AM, Paul Moore wrote:
> > On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
> >> On 4/24/2013 4:00 PM, John Johansen wrote:
> >>> On 04/24/2013 02:15 PM, Paul Moore wrote:
On Thursday, April 25, 2013 01:21:50 PM Casey Schaufler wrote:
> On 4/25/2013 12:14 PM, Paul Moore wrote:
> > On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
> >> On 4/25/2013 8:01 AM, Paul Moore wrote:
> >>> On Wednesday, April 24, 2013 05:43:08 PM Ca
Linus' tree for some reason? I know multiple
patches have been posted from different authors, all fixing the same
thing ...
Acked-by: Paul Moore
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body o
a86a-4b16-488f-a3de-33c2cf335bf0 ro console=ttyS0,115200n8"
>
> Two different traces below. Config attached.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More ma
On Tue, Aug 7, 2012 at 5:58 PM, John Stultz wrote:
> On 08/07/2012 02:50 PM, Paul Moore wrote:
>>
>> On Tue, Aug 7, 2012 at 2:12 PM, John Stultz
>> wrote:
>>>
>>> Hi,
>>> With my kvm environment using 3.6-rc1+, I'm seeing NULL pointer
On Tuesday, August 07, 2012 10:17:32 PM Serge E. Hallyn wrote:
> Quoting Paul Moore (p...@paul-moore.com):
> > On Tue, Aug 7, 2012 at 5:58 PM, John Stultz
wrote:
> > > On 08/07/2012 02:50 PM, Paul Moore wrote:
> > >> On Tue, Aug 7, 2012 at 2:12 PM, John Stultz
&g
t_sock/sock struct which does not have the LSM data properly initialized.
I'll put together a patch shortly.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More
On Wednesday, August 08, 2012 09:38:21 PM Eric Dumazet wrote:
> On Wed, 2012-08-08 at 15:26 -0400, Paul Moore wrote:
> > On Wednesday, August 08, 2012 12:14:42 PM John Stultz wrote:
> > > So I bisected this down and it seems to be the following commit:
&
to go with SECINITSID_KERNEL/kernel_t for SELinux and likely the ambient label
for Smack as in both the TCP reset and timewait ACK there shouldn't be any
actual user data present.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe
curity)
> + return 0;
> +
> ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
> if (ssp == NULL)
> return -ENOMEM;
In the case of Smack, when the kernel boolean is true I think the right
solution is to use smack_net_ambient.
--
paul moore
On Wednesday, August 08, 2012 04:51:56 PM Eric Paris wrote:
> On Wed, Aug 8, 2012 at 4:35 PM, Paul Moore wrote:
> > On Wednesday, August 08, 2012 10:09:38 PM Eric Dumazet wrote:
> >
> > Actually, the issue is that the shared socket doesn't have an init/alloc
> > f
2012-08-08 at 16:46 -0400, Paul Moore wrote:
> >> On Wednesday, August 08, 2012 10:32:52 PM Eric Dumazet wrote:
> >>> On Wed, 2012-08-08 at 22:09 +0200, Eric Dumazet wrote:
> >>> +static int smack_sk_alloc_security(struct sock *sk, int ...
> >>> {
On Thu, Aug 9, 2012 at 10:27 AM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 09:30 -0400, Paul Moore wrote:
>
>> In the case of a TCP syn-recv and timewait ACK things are a little less
>> clear.
>> Eric (Dumazet), it looks like we have a socket in tcp
, so the first
> call to security_sk_alloc() will populate sk->sk_security pointer,
> subsequent ones will reuse existing context.
>
> Reported-by: John Stultz
> Bisected-by: John Stultz
> Signed-off-by: Eric Dumazet
> Cc: Paul Moore
> Cc: Eric Paris
> Cc: "Serge
On Thu, Aug 9, 2012 at 11:36 AM, Eric Dumazet wrote:
> On Thu, 2012-08-09 at 11:07 -0400, Paul Moore wrote:
>
>> Is is possible to do the call to security_sk_alloc() in the ip_init()
>> function
>> or does the per-cpu nature of the socket make this a pain?
>>
&
ing like it, go in now to resolve the kernel
panic, and fix the labeling later.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.ke
u mean by the above?
I'm asking because I'm not convinced the labeling, either the old way
or the new way, was 100% correct and I think we're going to need to
change things regardless. I'm just not sure what the right solution
is just yet.
--
paul moore
www.paul-moore.com
--
On Thursday 07 February 2008 3:04:59 pm Andrew Morton wrote:
> On Thu, 7 Feb 2008 14:50:41 -0500
>
> Paul Moore <[EMAIL PROTECTED]> wrote:
> > On Thursday 07 February 2008 2:02:06 pm [EMAIL PROTECTED] wrote:
> > > The patch titled
> > > Smack: unlabeled
On Thursday 07 February 2008 8:34:02 pm David Miller wrote:
> From: Paul Moore <[EMAIL PROTECTED]>
> Date: Thu, 7 Feb 2008 15:14:34 -0500
>
> > My apologies, those mailing list postings there haven't hit my inbox yet.
>
> I had to remove you a few days ago, see my
On Thursday 07 February 2008 9:15:19 pm David Miller wrote:
> From: Paul Moore <[EMAIL PROTECTED]>
> Date: Thu, 7 Feb 2008 20:54:56 -0500
>
> > I have no idea what was causing the mail problem, probably somebody
> > in our IT department playing around with
but RHEL/Fedora/Rawhide has a patched
version of SSH (see RH bugzilla #202856 for the discussion/patch) that
fixes the problem of IPv4 options causing SSH to reject the connection.
It turns out that SSH is being a bit overzealous (rejecting all IPv4
options) in trying to reject source-ro
er
(CC'd Casey for his thoughts).
I'm still reviewing the rest of the AF_BUS patches but wanted to ask this now
in case I was missing something.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a me
uct security_operations selinux_ops = {
>
> .unix_stream_connect = selinux_socket_unix_stream_connect,
> .unix_may_send =selinux_socket_unix_may_send,
> + .bus_connect = selinux_socket_bus_connect,
>
> .socket_create =
functionality on
x32.
I've tested this patch with the seccomp BPF filters as well as ftrace
and everything looks reasonable to me; needless to say general usage
seemed fine as well.
Signed-off-by: Paul Moore
Cc: sta...@vger.kernel.org
Cc: Will Drewry
Cc: H. Peter Anvin
---
arch/x86/includ
On Friday, February 15, 2013 11:02:49 AM H. Peter Anvin wrote:
> On 02/15/2013 09:21 AM, Paul Moore wrote:
> > Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32
> > implementation by creating a syscall bitmask, equal to 0x4000, that
> > could be applied
a process
> is using.
>
> Signed-off-by: Corey Bryant
Were do things currently stand with this patchset? It still seems like a
reasonable addition to me.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-ker
ff-by: Jason Wang
Let me digest these changes and I'll respin the LSM/SELinux multiqueue fixes
and send them back out for re-discussion/review.
--
paul moore
security and virtualization @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body
On Friday 22 February 2008 2:58:07 pm Adrian Bunk wrote:
> This patch makes the needlessly global smk_unlbl_ambient() static.
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
Fine with me.
Acked-by: Paul Moore <[EMAIL PROTECTED]>
> ---
> 60c7072cb922cdecdb8a4f08e571
rc = netlbl_sock_setattr(parent->sk, &secattr);
> - netlbl_secattr_destroy(&secattr);
> + rc = smack_netlabel(sk);
I haven't checked the latest SMACK bits, but I'm pretty sure you don't
need to assign the return value of 'smack_netlabel()' to anything here
since the function doesn't return a value.
> }
>
> /**
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
, including files, SVIPC,
> and other tasks. Smack is a kernel based scheme that requires
> an absolute minimum of application support and a very small
> amount of configuration data.
>
> {snip}
>
> This patch includes changes made by Paul Moore <[EMAIL PROTECTED]>
> in
correctly? To my untrained eye it
looks like __netdev_alloc_skb() should be setting skb->iif (like it does for
skb->dev) but it currently doesn't.
Am I barking up the wrong tree here?
. paul moore
. linux security @ hp
-Original Message-
From: James Morris <[EMAIL PRO
On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
> On Thu, 26 Dec 2007, Paul Moore wrote:
> > As James said I'm away right now and computer access is limited.
> > However, I'm stuck in the airport right now and spent some time looking
> > at the code ...
On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
> On Thu, 26 Dec 2007, Paul Moore wrote:
> > As James said I'm away right now and computer access is limited.
> > However, I'm stuck in the airport right now and spent some time looking
> > at the code ...
On Monday 31 December 2007 12:13:32 pm Paul Moore wrote:
> On Wednesday 26 December 2007 4:52:03 pm James Morris wrote:
> > On Thu, 26 Dec 2007, Paul Moore wrote:
> > > As James said I'm away right now and computer access is limited.
> > > However, I'm stuck in
On Monday 31 December 2007 4:46:09 pm James Morris wrote:
> On Mon, 31 Dec 2007, Paul Moore wrote:
> > I'm pretty certain this is an uninitialized value problem now and not a
> > use-after-free issue. The invalid/garbage ->iif value seems to only
> > happen on packe
On Monday 19 November 2007 9:29:52 am Tetsuo Handa wrote:
> Paul Moore wrote:
> > If that is the case then the second call to
> > skb_peek() will return a different skb then the one you passed to
> > security_post_recv_datagram().
>
> Yes. The second call to skb_peek() m
using this error is git-lblnet.patch, where in the
> selinux_xfrm_enabled() is called from security/selinux/hooks.c, depends on
> the extern atomic_tselinux_xfrm_refcount.
The problem appears to be that the selinux_xfrm_refcount functionality is not
properly protected by CONFIG_SECURITY_NETWORK_XF
On Tuesday 20 November 2007 3:48:44 pm Paul Moore wrote:
> On Tuesday 20 November 2007 3:34:24 pm Kamalesh Babulal wrote:
> > Hi Andrew,
> >
> > The kernel build fails, in selinux with following error
> >
> > CHK include/linux/compile.h
> > U
es on some of the multicast stuff but I'm still learning some of
the darker corners of the stack.
If you've got some spare cycles, the kernel below should both have the
clone/iif fix (it's in Linus' tree now) as well as some printks when errors
occur so packet's are no longe
//git.infradead.org/?p=users/pcmoore/lblnet-2.6_testing;a=commitdiff;h=02f1c89d6e36507476f78108a3dcc78538be460b
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http:
On Monday 14 January 2008 2:37:02 pm [EMAIL PROTECTED] wrote:
> On Mon, 14 Jan 2008 14:07:46 EST, Paul Moore said:
> > There have been quite a few changes in lblnet-2.6_testing since
> > 2.6.24-rc6-mm1 so I would recommend taking the whole tree. I'm also not
> > quite s
On Monday 14 January 2008 6:04:28 pm [EMAIL PROTECTED] wrote:
> On Mon, 14 Jan 2008 14:07:46 EST, Paul Moore said:
> > http://git.infradead.org/?p=users/pcmoore/lblnet-2.6_testing;a=commitdiff
> >;h=02f1c89d6e36507476f78108a3dcc78538be460b
>
> Initial testing indicates tha
On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
> On Tue, 15 Jan 2008, David Howells wrote:
> > secid_to_secctx() LSM hook. This patch also includes the SELinux
> > implementation for this hook.
> >
> > Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
>
On Wednesday 16 January 2008 5:13:53 pm James Morris wrote:
> On Wed, 16 Jan 2008, Paul Moore wrote:
> > On Tuesday 15 January 2008 8:05:27 pm James Morris wrote:
> > > On Tue, 15 Jan 2008, David Howells wrote:
> > > > secid_to_secctx() LSM hook. This p
On Monday 17 December 2007 2:40:35 pm Joe Perches wrote:
> Signed-off-by: Joe Perches <[EMAIL PROTECTED]>
Thanks Joe.
Acked-by: Paul Moore <[EMAIL PROTECTED]>
> ---
> net/netlabel/netlabel_mgmt.c |2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
}
>
> -sock_setsid_return:
> netlbl_secattr_destroy(&secattr);
> +sock_setsid_return:
> return rc;
> }
>
> /**
> * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> *
> * Description:
> * Invalidate the NetLabel securit
On Monday 28 January 2008 5:35:40 pm Adrian Bunk wrote:
> On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
> > Thanks for finding this mistake, however, I'd rather see it fixed
> > by removing the netlbl_secattr_destroy() call in
> > security_netlbl_sid
selinux_netlbl_sock_setsid().
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/ss/services.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4bf715d..3a16aba 100644
--- a/security/seli
On Monday 28 January 2008 10:51:24 pm David Miller wrote:
> From: Paul Moore <[EMAIL PROTECTED]>
> Date: Mon, 28 Jan 2008 21:20:26 -0500
>
> > As pointed out by Adrian Bunk, commit
> > 45c950e0f839fded922ebc0bfd59b1081cc71b70 caused a double-free when
> > secur
k_irqrestore(&sk->sk_receive_queue.lock,
> +cpu_flags);
> +no_peek:
> + skb_free_datagram(sk, skb);
> + goto no_packet;
Two things. First you can probably just call kfree_skb() instead of
skb_free_datag
On Friday 16 November 2007 10:45:32 pm Tetsuo Handa wrote:
> Paul Moore wrote:
> > I might be missing something here, but why do you need to do a skb_peek()
> > again? You already have the skb and the sock, just do the unlink.
>
> The skb might be already dequeued by other
On Saturday 17 November 2007 11:00:20 pm Tetsuo Handa wrote:
> Hello.
Hello.
> Paul Moore wrote:
> > Okay, well if that is the case I think you are going to have another
> > problem in that you could end up throwing away skbs that haven't been
> > through your secur
On Tuesday, August 28 2007 6:39:13 am Tetsuo Handa wrote:
> Hello.
Hello.
> Paul Moore wrote:
> > >* post_recv_datagram is added in skb_recv_datagram.
> >
> > Can you explain to me why this is not possible using the existing
> > securi
On Tuesday, August 28 2007 2:46:19 am Joe Perches wrote:
> On Tue, 2007-08-28 at 00:01 +, Linux Kernel Mailing List wrote:
> > +NETWORKING [LABELED] (NetLabel, CIPSO, Labeled IPsec, SECMARK)
> > +P: Paul Moore
> > +M: [EMAIL PROTECTED]
> > +L: [EMAIL PR
On Tuesday, August 28 2007 12:45:50 pm Joe Perches wrote:
> On Tue, 2007-08-28 at 08:46 -0400, Paul Moore wrote:
> > If having both a labeled networking and NetLabel maintainer entry is a
> > problem then how about the patch below?
>
> I don't think it is.
>
> &
On Monday 03 September 2007 9:15:27 am Tetsuo Handa wrote:
> Hello.
Hi.
> Paul Moore wrote:
> > I apologize for not recognizing your approach from our earlier discussion
> > on the LSM mailing list in July. Unfortunately, I have the same
> > objections to these changes
ight have
some thoughts on your network design.
[1]http://www.netfilter.org/projects/libnetfilter_queue/index.html
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo
rough
the entire TCP handshake and then terminate the connection, which is what
allowing security_socket_post_accept() to fail would do.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
y of its
> own.
The how/why of the packet rejection probably isn't all that important, but the
most likely scenario based on the ICMP error code is that the router simply
does not know about the CIPSO IP option type and is dropping the packet as a
result. I'd be very surpri
n developing and testing new kernel code. And everything else in that
>file, too.
>
I apologize for the mistake - I'm still trying to get a firm grasp on some of
the finer points of Linux kernel development and I obviously missed something
here. Unfortunately, due to the holiday I won&#x
1 - 100 of 1338 matches
Mail list logo
