ength after adding the CALIPSO option.
> >
> > Signed-off-by: Richard Haines
> > ---
> > net/ipv6/calipso.c | 6 +-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
>
> Acked-by: Paul Moore
Signed-off-by: Huw Davies
On Tue, Jun 21, 2016 at 05:39:28AM -0400, David Miller wrote:
> From: Huw Davies
> Date: Mon, 20 Jun 2016 14:36:40 +0100
>
> > This patch series implements RFC 5570 - Common Architecture Label IPv6
> > Security Option (CALIPSO). Its goal is to set MLS sensitivity label
for
this the CALIPSO functions are registered at module init time.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 79 +++
include/net/netlabel.h | 23 +
include/uapi/linux/audit.h | 2 +
net/ipv6/Makefile | 1 +
net/ipv6/af_inet6
This is to allow the CALIPSO labelling engine to use these.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv4/cipso_ipv4.c| 88 +---
net/netlabel/netlabel_kapi.c | 70 +++
3 files changed
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +-
net/ipv6/exthdrs_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 22c7a37..3e59785 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -945,7 +945,7
netlbl_audit *audit_info)
Creates a mapping between a domain and a CALIPSO doi. If
addr and mask are non-NULL this creates an address-selector
type mapping.
This also extends netlbl_cfg_map_del() to remove IPv6 address-selector
mappings.
Signed-off-by: Huw Davies
---
include/net/netlabel.h
en v2 and v1:
* Simplify ipv6_renew_options_kern() to use set_fs(KERNEL_DS).
Thanks to Hannes Frederic Sowa for suggesting this.
* Use the parent socket to account for the listener socket
option's memory usage. Again, thanks for Hannes for this.
* Added netlbl_cfg_calipso_* functions for SMAC
If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option. This is in the same spirit as
the existing check for IPv4.
Signed-off-by: Huw Davies
---
security/selinux/netlabel.c | 17 -
1 file changed, 16 insertions(+),
CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
the equivalent CISPO code. The main difference is due to manipulating
the options in the hop-by-hop header.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +
include/net/netlabel.h | 9
LISTDEF to specify which address family to return.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 182 -
net/netlabel/netlabel_domainhash.h | 8 +-
net/netlabel/netlabel_kapi.c | 6 +-
net/netlabel/netlabel_mgmt.c | 29
Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 1 +
net/ipv6/calipso.c | 48 +
net/netlabel/netlabel_calipso.c | 92
Lengths, checksum and the DOI are checked. Checking of the
level and categories are left for the socket layer.
CRC validation is performed in the calipso module to avoid
unconditionally linking crc_ccitt() into ipv6.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 ++
net/ipv6
The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory
The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.
Signed-off-by: Huw Davies
This fixes sparse errors of the form:
incompatible types in comparison expression (different address spaces)
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 4 ++--
net/netlabel/netlabel_unlabeled.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a
Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
The reply will contain:
NLBL_CALIPSO_A_MTYPE
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 68
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 2 +-
net/netlabel
cache.
calipso_cache_bucket_size - sets the size of a cache bucket.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 +
include/net/netlabel.h | 9 +-
net/ipv6/calipso.c | 264 +++-
net/ipv6/sysctl_net_ipv6.c | 19 +++
net/net
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 11 +++
net/ipv6
Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label. This is used
for the outgoing SYN-ACK and for their child full-socket.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv6/cali
Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 41
net/netlabel/netlabel_calipso.c | 106
This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 43 +++---
net/netlabel/netlabel_domainhash.h | 1 +
net/netlabel/netlabel_mgmt.c | 47
eady may do for IPv4.
Signed-off-by: Huw Davies
---
include/net/inet_sock.h | 7 ++-
net/dccp/ipv6.c | 12 +---
net/ipv4/tcp_input.c| 3 +++
net/ipv6/tcp_ipv6.c | 12 +---
4 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/include/net/inet_sock.
On Fri, May 06, 2016 at 06:59:32PM -0400, Paul Moore wrote:
> On Wed, Feb 17, 2016 at 8:22 AM, Huw Davies wrote:
> > We check lengths, checksum and the DOI. We leave checking of the
> > level and categories for the socket layer.
> >
> > Signed-off-by: Huw Davie
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 11 +++
net/ipv6
This fixes sparse errors of the form:
incompatible types in comparison expression (different address spaces)
This patch also removes unnecessary initialization of static variables
to NULL.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 4 ++--
net/netlabel
ption's memory usage. Again, thanks for Hannes for this.
* Added netlbl_cfg_calipso_* functions for SMACK.
* Rebased to v4.4-rc8.
Huw Davies (19):
netlabel: Mark rcu pointers with __rcu.
netlabel: Add an address family to domain hash entries.
netlabel: Initial support for the CALIPSO netlink
Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
The reply will contain:
NLBL_CALIPSO_A_MTYPE
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 68
This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 43 +++---
net/netlabel/netlabel_domainhash.h | 1 +
net/netlabel/netlabel_mgmt.c | 47
If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option. This is in the same spirit as
the existing check for IPv4.
Signed-off-by: Huw Davies
---
security/selinux/netlabel.c | 17 -
1 file changed, 16 insertions(+),
cache.
calipso_cache_bucket_size - sets the size of a cache bucket.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 +
include/net/netlabel.h | 9 +-
net/ipv6/calipso.c | 264 +++-
net/ipv6/sysctl_net_ipv6.c | 19 +++
net/net
for
this the CALIPSO functions are registered at module init time.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 79 +++
include/net/netlabel.h | 23 +
include/uapi/linux/audit.h | 2 +
net/ipv6/Makefile | 1 +
net/ipv6/af_inet6
The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory
The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.
Signed-off-by: Huw Davies
This is to allow the CALIPSO labelling engine to use these.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv4/cipso_ipv4.c| 88 +---
net/netlabel/netlabel_kapi.c | 70 +++
3 files changed
netlbl_audit *audit_info)
Creates a mapping between a domain and a CALIPSO doi. If
addr and mask are non-NULL this creates an address-selector
type mapping.
This also extends netlbl_cfg_map_del() to remove IPv6 address-selector
mappings.
Signed-off-by: Huw Davies
---
include/net/netlabel.h
Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 1 +
net/ipv6/calipso.c | 48 +
net/netlabel/netlabel_calipso.c | 92
LISTDEF to specify which address family to return.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 182 -
net/netlabel/netlabel_domainhash.h | 8 +-
net/netlabel/netlabel_kapi.c | 6 +-
net/netlabel/netlabel_mgmt.c | 29
We check lengths, checksum and the DOI. We leave checking of the
level and categories for the socket layer.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 ++
net/ipv6/calipso.c| 42 ++
net/ipv6/exthdrs.c| 27
Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 41
net/netlabel/netlabel_calipso.c | 106
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 2 +-
net/netlabel
Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label. This is used
for the outgoing SYN-ACK and for their child full-socket.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv6/cali
CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
the equivalent CISPO code. The main difference is due to manipulating
the options in the hop-by-hop header.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +
include/net/netlabel.h | 9
eady may do for IPv4.
Signed-off-by: Huw Davies
---
include/net/inet_sock.h | 7 ++-
net/dccp/ipv6.c | 12 +---
net/ipv4/tcp_input.c| 3 +++
net/ipv6/tcp_ipv6.c | 12 +---
4 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/include/net/inet_sock.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +-
net/ipv6/exthdrs_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 3098e0d..df89320 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -935,7 +935,7
On Sun, Feb 07, 2016 at 02:56:18PM -0500, Paul Moore wrote:
> Thanks for fixing this patchset up and sending out a v2. I took a closer
> look
> and just sent out my comments, let me know if you have any questions.
>
> Once we get to a v3 patchset, I think it's time to reach out Oracle and try
On Sun, Feb 07, 2016 at 02:56:08PM -0500, Paul Moore wrote:
> On Friday, January 08, 2016 09:52:46 AM Huw Davies wrote:
> > +/**
> > + * calipso_genopt - Generate a CALIPSO option
> > + * @buf: the option buffer
> > + * @start: offset from which to write
> >
On Sun, Feb 07, 2016 at 02:56:05PM -0500, Paul Moore wrote:
> On Friday, January 08, 2016 09:52:44 AM Huw Davies wrote:
> > The functionality is equivalent to ipv6_renew_options() except
> > that the newopt pointer is in kernel, not user, memory
> >
> > The kernel me
On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 17:59, Huw Davies wrote:
> > I'm confused about this one. AFAICS, this will drop packets that we
> > can't process. We don't send the icmp error, but I can certainly add
&g
On Tue, Dec 22, 2015 at 09:28:37AM -0800, Casey Schaufler wrote:
> On 12/22/2015 3:46 AM, Huw Davies wrote:
> > This patch series implements RFC 5570 - Common Architecture Label IPv6
> > Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
> > on IPv6 packe
On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 12:46, Huw Davies wrote:
> >
> > +/* CALIPSO RFC 5570 */
> > +
> > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> > +{
> > + const uns
LISTDEF to specify which address family to return.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 173 -
net/netlabel/netlabel_domainhash.h | 8 +-
net/netlabel/netlabel_kapi.c | 6 +-
net/netlabel/netlabel_mgmt.c | 29
Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command.
It takes no attributes.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 41
net/netlabel/netlabel_calipso.c | 106
If a socket has a netlabel in place then don't let setsockopt() alter
the socket's IPv6 hop-by-hop option. This is in the same spirit as
the existing check for IPv4.
Signed-off-by: Huw Davies
---
security/selinux/netlabel.c | 17 -
1 file changed, 16 insertions(+),
In some cases, the lsm needs to add the label to the skbuff directly.
A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4
behaviour. This allows selinux to label the skbuffs that it requires.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +-
include/net
eady may do for IPv4.
Signed-off-by: Huw Davies
---
include/net/inet_sock.h | 7 ++-
net/dccp/ipv6.c | 12 +---
net/ipv4/tcp_input.c| 3 +++
net/ipv6/tcp_ipv6.c | 12 +---
4 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/include/net/inet_sock.
This is to allow the CALIPSO labelling engine to use these.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6 +++
net/ipv4/cipso_ipv4.c| 88 +---
net/netlabel/netlabel_kapi.c | 70 +++
3 files changed
Request sockets need to have a label that takes into account the
incoming connection as well as their parent's label. This is used
for the outgoing SYN-ACK and for their child full-socket.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 6
net/ipv6/cali
This patch series implements RFC 5570 - Common Architecture Label IPv6
Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
on IPv6 packets using a hop-by-hop option. CALIPSO very similar to
its IPv4 cousin CIPSO and much of this series is based on that code.
Most of this series
This fixes sparse errors of the form:
netlabel_domainhash.c:126:23: error: incompatible types in comparison
expression (different address spaces)
This patch also removes unnecessary initialization of static variables
to NULL.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c
Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 1 +
net/ipv6/calipso.c | 48 +
net/netlabel/netlabel_calipso.c | 92
This makes it possible to route the error to the appropriate
labelling engine. CALIPSO is far less verbose than CIPSO
when encountering a bogus packet, so there is no need for a
CALIPSO error handler.
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 2 +-
net/netlabel
Query a specified DOI through the NLBL_CALIPSO_C_LIST command.
It requires the attribute:
NLBL_CALIPSO_A_DOI.
The reply will contain:
NLBL_CALIPSO_A_MTYPE
Signed-off-by: Huw Davies
---
include/net/netlabel.h | 4 ++
net/ipv6/calipso.c | 68
The functionality is equivalent to ipv6_renew_options() except
that the newopt pointer is in kernel, not user, memory
The kernel memory implementation will be used by the CALIPSO network
labelling engine, which needs to be able to set IPv6 hop-by-hop
options.
Signed-off-by: Huw Davies
CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on
the equivalent CISPO code. The main difference is due to manipulating
the options in the hop-by-hop header.
Signed-off-by: Huw Davies
---
include/net/ipv6.h | 2 +
include/net/netlabel.h | 9
We check lengths, checksum and the DOI. We leave checking of the
level and categories for the socket layer.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 ++
net/ipv6/calipso.c| 43 +++
net/ipv6/exthdrs.c| 27
for
this the CALIPSO functions are registered at module init time.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 79 +++
include/net/netlabel.h | 22
include/uapi/linux/audit.h | 2 +
net/ipv6/Makefile | 1 +
net/ipv6/af_inet6.c
cache.
calipso_cache_bucket_size - sets the size of a cache bucket.
Signed-off-by: Huw Davies
---
include/net/calipso.h | 6 +
include/net/netlabel.h | 9 +-
net/ipv6/calipso.c | 264 +++-
net/ipv6/sysctl_net_ipv6.c | 19 +++
net/net
This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands
to accept CALIPSO protocol DOIs.
Signed-off-by: Huw Davies
---
net/netlabel/netlabel_domainhash.c | 40 +--
net/netlabel/netlabel_domainhash.h | 1 +
net/netlabel/netlabel_mgmt.c | 48
67 matches
Mail list logo
