gt; ---
> > The code churn is unfortunate. Alternative would be to change
> > the function signature of ->route_req:
> > struct dst_entry *(*route_req)(struct sock *sk, ...
> > [ i.e., drop 'const' ]. Thoughts?
>
> Security folks - is this
replace the flowi pointers with pointers
> to the address family independent flowi_common struct.
>
> Reported-by: Herbert Xu
> Signed-off-by: Paul Moore
Acked-by: James Morris
--
James Morris
ng back a secid.
> The infrastructure passes the correct entry from the lsmblob.
>
> Signed-off-by: Casey Schaufler
> Cc: netdev@vger.kernel.org
You probably need to include Netfilter maintainers specifically for this
(added them + the Netfilter list).
This also needs signoffs from LSM owners.
--
James Morris
ntainers on the
To: line or they may miss the email.
--
James Morris
(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
> > @@ -632,10 +627,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > }
> >
> > nlh->nlmsg_len = skb->len;
> > - if (seclen) {
> > - lsmcontext_init(&scaff, secdata, seclen, 0);
> > - security_release_secctx(&scaff);
> > - }
> > + if (context.len)
> > + security_release_secctx(&context);
> > return skb;
> >
> > nla_put_failure:
> > @@ -643,10 +636,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > kfree_skb(skb);
> > net_err_ratelimited("nf_queue: error creating packet message\n");
> > nlmsg_failure:
> > - if (seclen) {
> > - lsmcontext_init(&scaff, secdata, seclen, 0);
> > - security_release_secctx(&scaff);
> > - }
> > + if (context.len)
> > + security_release_secctx(&context);
> > return NULL;
> > }
> >
> > --
> > 2.24.1
> >
>
--
James Morris
clist()")
> Reported-by: Dan Carpenter
> Signed-off-by: Paul Moore
Reviewed-by: James Morris
> ---
> net/netlabel/netlabel_unlabeled.c |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netlabel/netlabel_unlabeled.c
> b/ne
it version.
>
> Reported-by: Roman Kiryanov
> https://android-review.googlesource.com/c/device/generic/goldfish/+/1468545/
> Signed-off-by: Jeff Vander Stoep
Reviewed-by: James Morris
--
James Morris
On Tue, 27 Oct 2020, Paul Moore wrote:
> On Wed, Sep 30, 2020 at 9:44 AM Paul Moore wrote:
> > On Tue, Sep 29, 2020 at 7:09 PM James Morris wrote:
> > > I'm not keen on adding a parameter which nobody is using. Perhaps a note
> > > in the header instead?
> &g
s.
>
> Add a separate NULL check to tell gcc about it as well.
>
> Signed-off-by: Arnd Bergmann
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
fixes-v5.12
--
James Morris
On Fri, 4 May 2018, David Herrmann wrote:
> Hi
>
> This is v2 of the socketpair(2) LSM hook introduction.
Thanks, all applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
next-general
--
James Morris
ck backend and maybe the hook name change,
I'll merge this unless DaveM wants it to go in via his networking tree.
--
James Morris
On Wed, 25 Apr 2018, Paul Moore wrote:
> On Wed, Apr 25, 2018 at 2:44 PM, James Morris wrote:
> > On Mon, 23 Apr 2018, David Herrmann wrote:
> >> This patch series tries to close this gap and makes both behave the
> >> same. A new LSM-hook is added which allow
another security
> module to take over lockdown decisions once it has initialized (including
> policy load), and to be able to access state that is currently private to the
> lockdown module, like the level.
Why not utilize stacking (restrictively), similarly to capabilities?
--
James Morris
is
> missing is a way to enforce a security policy for any application by its
> developer and *unprivileged user* as seccomp can do for raw syscall filtering.
>
You could mention here that the first case is Mandatory Access Control,
in general terms.
--
James Morris
On Tue, 22 Aug 2017, Alexei Starovoitov wrote:
> more general question: what is the status of security/ bits?
> I'm assuming they still need to be reviewed and explicitly acked by James,
> right?
Yep, along with other core security developers where possible.
--
James Morris
th an ABI version, the user can
> easily check if the current kernel support that.
Don't call it an ABI, perhaps minimum policy version (similar to
what SELinux does). Changes need to be made so that any existing
userspace still works.
--
James Morris
abstract FS struct */
> };
Looks like a spurious empty line.
--
James Morris
On Wed, 4 Oct 2017, Chenbo Feng wrote:
> int bpf_map_new_fd(struct bpf_map *map, int flags)
> {
> + if (security_bpf_map(map, OPEN_FMODE(flags)))
> + return -EPERM;
> +
Don't hardcode -EPERM here, return the actual error from
security_bpf_map().
> + if (security_bpf_prog(p
ger.kernel.org
I'd like to see Paul's acks on any networking related changes.
--
James Morris
es the problem of
> the LSM hook callers sending the wrong secid which would be much
> worse.
>
> Reported-by: Herbert Xu
> Signed-off-by: Paul Moore
I'm not keen on adding a parameter which nobody is using. Perhaps a note
in the header instead?
--
James Morris
!capable(CAP_NET_ADMIN) ||
!unprivileged_autoload(module_name)))
return -EPERM;
--
James Morris
itelist to /proc (per-task) or /sys/fs (global) ?
The per-task whitelist is inherited from the global one by default, or
from a parent process if it's been modified in the parent.
--
James Morris
net: sk_buff rbnode reorg
...
Anyone else able to reproduce this, or have any ideas on what's happening?
- James
--
James Morris
skb)->header.h4, IPCB(skb),
> > sizeof(struct inet_skb_parm));
>
> Please try this fix for IPv4 (a similar patch will be needed for IPv6)
>
> net/ipv4/tcp_ipv4.c | 51 ++
> 1 file changed, 32 insertions(+), 19 deletions(-)
Works for me, no crashes with the testsuite running in a loop.
Tested-by: James Morris
--
James Morris
On Wed, 29 Nov 2017, Casey Schaufler wrote:
> I see that there is a proposed fix later in the thread, but I don't see
> the patch. Could you send it to me, so I can try it on my problem?
Forwarded off-list.
Interestingly, I didn't see the KASAN output email from Stephen here.
--
James Morris
On Thu, 30 Nov 2017, Eric Dumazet wrote:
> On Wed, 2017-11-29 at 19:16 -0800, Casey Schaufler wrote:
> > On 11/29/2017 4:31 PM, James Morris wrote:
> > > On Wed, 29 Nov 2017, Casey Schaufler wrote:
> > >
> > > > I see that there is a proposed fix later
> Thank you Arnd for helping me figure out what went wrong.
>
> CC: Arnd Bergmann
> Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
> Signed-off-by: Anders Roxell
Note, this patch should have been sent to me and cc'd the LSM list.
Acked-by: James Morris
--
James Morris
x/lsm_hook_defs.h
> > @@ -243,7 +243,7 @@ LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct
> > *p, char *name,
> > char **value)
> > LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t
> > size)
> > LSM_HOOK(int, 0, ismaclabel, const char *name)
> > -LSM_HOOK(int, 0, secid_to_secctx, u32 secid, char **secdata,
> > +LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
> > u32 *seclen)
> > LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32
> > *secid)
> > LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
> > --
> > 2.20.1
> >
>
--
James Morris
On Thu, 10 Aug 2017, Paul Moore wrote:
> From: Paul Moore
>
> Signed-off-by: Paul Moore
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
--
James Morris
; > +F: include/net/netlabel.h
> > +F: include/uapi/linux/netfilter/xt_SECMARK.h
> > +F: include/uapi/linux/netfilter/xt_CONNSECMARK.h
> > +F: net/netlabel/
> > +F: net/ipv4/cipso_ipv4.c
> > +F: net/ipv6/calipso.c
> > +F: net/netfilter/xt_CONNSECMARK.c
> > +F: net/netfilter/xt_SECMARK.c
> >
> > NETWORKING [TLS]
> > M: Ilya Lesokhin
>
>
--
James Morris
On Wed, 18 Oct 2017, David Miller wrote:
> Series applied.
I hadn't gotten to reviewing this patchset yet.
Please wait for more acks/reviews from LSM folk for things touching
security/, next time.
--
James Morris
ual security module can decide which command need to be checked and
> how the cmd should be checked.
>
> Signed-off-by: Chenbo Feng
Acked-by: James Morris
--
James Morris
ject,
> selinux will check if processes have the right privileges. The creation
> of eBPF object are also checked at the general bpf check hook and new
> cmd introduced to eBPF domain can also be checked there.
>
> Signed-off-by: Chenbo Feng
> Acked-by: Alexei Starovoitov
Revi
configured.
>
> Signed-off-by: Chenbo Feng
> Acked-by: Stephen Smalley
Reviewed-by: James Morris
--
James Morris
not an expert on
SCTP. It would be good to see more review from networking folk.
Reviewed-by: James Morris
--
James Morris
unt for free. I also rediffed the patch against
> the latest miller tree. Is the idea or patch in any way flawed or
> unacceptable to people at the moment?
>
> Anyone willing to step up an re-ack the patch to get it moving into the
> tree?
Looks good to me.
Acked-by: Jam
I've applied this patch to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-davem
Dave, feel free to pull from that branch.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the
code where it make sense.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
with
> CIPSO options attached which generate error messages on certain alignment
> sensitive platforms. This patch fixes this by marking these unaligned
> accesses
> with the get_unaliagned() macro.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: James Morris &l
malley <[EMAIL PROTECTED]>
> James Morris <[EMAIL PROTECTED]>
> Patch : http://lkml.org/lkml/2007/6/7/334
> Status : patch available
This patch is queued for -mm, and will be submitted for 2.6.23.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from t
-- Forwarded message --
Date: Mon, 18 Jun 2007 12:05:49 -0400
From: Jeff Dike <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Guido Guenther <[EMAIL PROTECTED]>, LKML <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: [PATCH] Allow group ownership of TUN/TAP devices
I recieved from
Thanks.
Acked-by: James Morris <[EMAIL PROTECTED]>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
(original cc list has wrong netdev addr)
-- Forwarded message --
Date: Mon, 9 Jul 2007 15:17:28 -0400 (EDT)
From: James Morris <[EMAIL PROTECTED]>
To: Tetsuo Handa <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: [RFC]
nsure that the peers
are appropriately notified using the standard failure paths, not just
arbitrarily propagate errors to the local user.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [E
On Mon, 9 Jul 2007, Stephen Hemminger wrote:
> Isn't it better to hook into existing netfilter infrastructure somehow?
Yes, it has been suggested several times.
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
rly populated initrd.
>
> Same goes for things like this.
>
> That's the fact of life these days, like it or not.
Same story for NFS root when using strong authentication -- something has
to be running in userland to manage that.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To
clear if it's the patch itself or coincidental
to it.
I've looked at some tcpdumps, but may not be able to get back to them
until tomorrow or the weekend, & thought it might be useful to get the
report out now.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe
On Thu, 12 Jul 2007, David Miller wrote:
> From: James Morris <[EMAIL PROTECTED]>
> Date: Thu, 12 Jul 2007 16:12:25 -0400 (EDT)
>
> > I'm seeing TCP connection stalls with current git, and a bisect found the
> > following as a possible cause:
>
> To add to
On Fri, 13 Jul 2007, Jens Axboe wrote:
> On Fri, Jul 13 2007, Johannes Berg wrote:
> > On Thu, 2007-07-12 at 16:12 -0400, James Morris wrote:
> > > I'm seeing TCP connection stalls with current git, and a bisect found the
> > > following as a possible cause:
>
16 msg_flags,
> + const u32 msg_pid,
> + const u32 msg_seq)
Why are these parameters marked const? Seems to be common throughout the
code.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe net
sock->sk field is not
> +defined yet but it is not a problem as the only users of these
> +"lite" PF_INET sockets are functions which do an accept() call
> +afterwards so we will label the socket as part of the accept(). */
Coding style standard for multi
On Fri, 14 Jul 2006, [EMAIL PROTECTED] wrote:
> +/**
> + * cipso_v4_bitmap_walk - Walk a bitmap looking for a bit
> + * cipso_v4_bitmap_setbit - Sets a single bit in a bitmap
Can you use lib/bitmap.c instead?
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this
of these
global variables and using temporary pointers?
Why not just simply free each entry? The way this is coded makes it seem
like you're unsure about the safety of the code.
e.g. what could it possibly matter at this stage whether cipso_v4_cache is
NULL or not?
I think I asked t
2(&buf, iter->doi, &buf_len);
> + netlbl_putinc_u32(&buf, iter->type, &buf_len);
> + }
> + rcu_read_unlock();
> +
> + return skb;
> +}
> +
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 15 Jul 2006, James Morris wrote:
> > + /* XXX - In both cases, this is kinda ugly as we have to go through
> > + the list once to determine how large of a buffer we need,
> > + drop the locks, allocate the buffer, grab the locks, and
> > + final
pin_lock().
You need to perform the search a second time under the spin_lock() as a
slow path to verify that an entry wasn't added, before adding a new one.
- James
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
d mapping?
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
or double free.
>
> Signed-off-by: Stephen Hemminger <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTE
-- Forwarded message --
Date: Tue, 25 Jul 2006 16:38:05 +0900
From: [EMAIL PROTECTED]
To: linux-kernel@vger.kernel.org
Subject: [PATCH][IPv4/IPv6] Setting 0 for unused port field.
Hello.
The recvmsg() for raw socket seems to return random u16 value
from the kernel stack memory si
On Thu, 27 Jul 2006, Thomas Graf wrote:
> + rule = kmalloc(ops->rule_size, GFP_KERNEL);
> + if (rule == NULL) {
> + err = -ENOMEM;
> + goto errout;
> + }
> + memset(rule, 0, ops->rule_size);
> +
kzalloc() ? :-)
- James
--
Jam
arameter sid to SECSID_NULL in
> selinux_xfrm_decode_session()
> and handles this value in the caller selinux_inet_conn_request()
> appropriately.
>
> Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
> --- NOTE: Not
a similar fix (e.g. xt_string looks suspect at first
glance).
cc'd Chris Wright, as this patch seems like a candidate for the stable
tree.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
Signed-off-by: Stephen Smalley <[EMAIL PROTECTED]>
---
diff -purN -X dontdiff linux-
l functions static.
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Patch below fixes that.
> >
> >
> > Signed-off-by: Jesper Juhl <[EMAIL PROTECTED]>
> Agreed, thanks for catching it. The whole kfifo interface is kind of
> annoying have to do an extra copy.
Might be cleaner to make a single return path for cleanup:
Signed-off-b
vanced functions (EXPERIMENTAL)"
> + depends on XFRM && EXPERIMENTAL
> + ---help---
> + Support advanced transformation for developers.
> +
> + If unsure, say N.
> +
> config NET_KEY
> tristate "PF_KEY sockets"
> select XFRM
>
The overall kernel config is getting very messed up because of all of
these selects.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
gopt(skb, &prevhdr);
}
Maybe also change the naming of ->place_find to ->hdr_offset
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
>props.saddr;
Again, it'd make the code so much cleaner to provide static inline
wrappers for all of these types of:
foo = op ? op->() : bar;
and
if (op)
bar = op->();
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send t
On Tue, 1 Aug 2006, Evgeniy Polyakov wrote:
> + u->ready_num = 0;
> +#ifdef CONFIG_KEVENT_USER_STAT
> + u->wait_num = u->im_num = u->total = 0;
> +#endif
Generally, #ifdefs in the body of the kernel code are discouraged. Can
you abstract these out as static inli
On Tue, 1 Aug 2006, Evgeniy Polyakov wrote:
> On Tue, Aug 01, 2006 at 09:46:58AM -0400, James Morris ([EMAIL PROTECTED])
> wrote:
> > On Tue, 1 Aug 2006, Evgeniy Polyakov wrote:
> >
> > > + u->ready_num = 0;
> > > +#ifdef CONFIG_KEVENT_USER_STAT
> &g
c->sid, skb, &ad); */
> +out: return err;
> }
Did you mean to leave the call to selinux_xfrm_sock_rcv_skb() commented
out?
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a
On Tue, 1 Aug 2006, Venkat Yekkirala wrote:
> +#define PACKET__COME_THRU 0x0008UL
> +#define PACKET__GO_THRU 0x0010UL
These names seem awkward, and do we really need a separate perm for each
direction?
- James
--
James Morris
&
On Tue, 1 Aug 2006, James Morris wrote:
> On Tue, 1 Aug 2006, Venkat Yekkirala wrote:
>
> > +#define PACKET__COME_THRU 0x0008UL
> > +#define PACKET__GO_THRU 0x0010UL
>
> These names seem awkward, and do we really
rent approach is needed, where the disposition of a
policy can be to re-submit a packet for another policy match after the
current bundle has been traversed (something like NF_REPEAT).
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubs
-- Forwarded message --
Date: Thu, 3 Aug 2006 18:35:45 -0700
From: "Siddha, Suresh B" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], linux-kernel@vger.kernel.org
Subject: [Patch] fix potential stack overflow in net/core/utils.c
On High end systems (1024 or so cpus
On Sat, 5 Aug 2006, Thomas Graf wrote:
> Collision between "[NetLabel]: SELinux support" and
> "[AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec"
>
> Signed-off-by: Thomas Graf <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTE
On Tue, 15 Aug 2006, Stephen Hemminger wrote:
> -__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
> +__be16 eth_type_trans(struct sk_buff * skb, struct net_device * dev)
Looks fine except for this.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe fr
this datagram
> will repeat recvmsg() forever, which is a worse side effect.
>
> So, don't give different permissions between processes who share one socket.
> Otherwise, some connections/datagrams cannot be delivered to intended process.
These semantics changes are concerning, and le
ock, *newsock, flags);
> if (err < 0) {
> sock_release(*newsock);
> + *newsock = NULL;
> goto done;
> }
>
If you get an error back from kernel_accept, you should not be trying to
use newsock.
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscrib
On Fri, 13 Apr 2007, Joy Latten wrote:
>
> Signed-off-by: Joy Latten <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
>
>
> diff -urpN linux-2.6.20/net/xfrm/xfrm_user.c
> linux-2.6.20.patch/net/xfrm/xfrm_user.c
> --- linux-2.6.20/net/
e !IFF_LOOPBACK check was there
in the first place.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Could be an upstream kernel issue lurking.
-- Forwarded message --
Date: Fri, 20 Apr 2007 22:21:26 +0200
From: Mark Stier <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: FYI: Xen or kernel bug?
Hello,
tcp_vegas produces division by zero kernel oopses in dom0 when running
a Xe
-- Forwarded message --
Date: Mon, 14 May 2007 08:15:50 -0700 (PDT)
From: Curtis Doty <[EMAIL PROTECTED]>
To: Linux Kernel <[EMAIL PROTECTED]>
Subject: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr
Summary: On a multi-homed box, after turning on
/proc/sys/
this cause existing applications to break?
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
problem.
I posted one possible solution a couple of years ago (skfilter):
http://lwn.net/Articles/157137/
I think there has been some recent discussion by netfilter developers
about this issue, so perhaps you could talk to them (cd'd Patrick).
- James
--
James Morris
<[EMAIL PROTECTED]>
igned-off-by: Joy Latten <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Both patches applied to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordo
hought mentioned at the first two netconfs, but it
> went nowhere because the more we discussed the implementation
> the more horrific it began to sound :-)
Don't forget Rusty's skb reservation patches from 1999...
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this
y and has
never gone anywhere :-)
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
> }
>
> #endif /* IPV6 */
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
for a single packet, e.g. individual IPsec transforms, adding unwanted
> overhead and complicating the security policy.
I'm fine to ack this from a security pov -- any objections on the
networking side?
- James
--
James Morris
<[EMAIL PROTECTED]>
--
To unsubscribe from this list:
ary memcpy() calls
>
> * Move common code to xfrm_audit_common_stateinfo()
>Code consolidation from the "less is more" book on software development
>
> * Proper spacing around commas in function arguments
>Minor style tweak since I was already touching the
sake of consistency.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
> ---
>
> include/net/xfrm.h | 33 --
> net/ipv4/ah4.c |4 +
> net/ipv4/esp4.c|1
> net/ipv6/ah6.c
pt to transmit a packet that would result in sequence number
>overflow is an auditable event. The audit log entry for this event
>SHOULD include the SPI value, current date/time, Source Address,
>Destination Address, and (in IPv6) the cleartext Flow ID.
>
> Signed-of
This is part of a large patchset which finally "fixes" labeled networking,
which we're hoping to get into 2.6.25.
Thread @ http://thread.gmane.org/gmane.linux.kernel.lsm/4894
The patch below is the only one which is not self-contained & impacts on
core networking code.
If anyone has any object
performance reasons in any case.
> 2. Copy the ->iif field in __copy_skb_header()
Seems valid.
- James
--
James Morris
<[EMAIL PROTECTED]>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
t;users, 1);
>
> atomic_inc(&(skb_shinfo(skb)->dataref));
> skb->cloned = 1;
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
James Morris
<[EMAIL PROTECTED]>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
t; Hello - Just checking in again to see if you plan on taking these
> through the security tree?
Sure, please resend.
--
James Morris
rg/pub/scm/linux/kernel/git/jmorris/selinux-net-2.6.20.git
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
security/selinux/hooks.c | 66 +++---
security/selinux/include/av_inherit.h|
about other network subsystems: xfrm, netfilter, iptables, netlink,
etc. ?
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
1 - 100 of 380 matches
Mail list logo
