Merge branch 'for-linus' of... (7541bba8) · Commits · e / devices / android_kernel_xiaomi_markw

Documentation/Smack.txt

+37 −5

Original line number	Diff line number	Diff line
		@@ -184,7 +184,8 @@ length. Single character labels using special characters, that being anything
		other than a letter or digit, are reserved for use by the Smack development
		team. Smack labels are unstructured, case sensitive, and the only operation
		ever performed on them is comparison for equality. Smack labels cannot
		contain unprintable characters or the "/" (slash) character.
		contain unprintable characters or the "/" (slash) character. Smack labels
		cannot begin with a '-', which is reserved for special options.

		There are some predefined labels:

		@@ -192,6 +193,7 @@ There are some predefined labels:
		^ Pronounced "hat", a single circumflex character.
		* Pronounced "star", a single asterisk character.
		? Pronounced "huh", a single question mark character.
		@ Pronounced "Internet", a single at sign character.

		Every task on a Smack system is assigned a label. System tasks, such as
		init(8) and systems daemons, are run with the floor ("_") label. User tasks
		@@ -412,6 +414,36 @@ sockets.
		A privileged program may set this to match the label of another
		task with which it hopes to communicate.

		Smack Netlabel Exceptions

		You will often find that your labeled application has to talk to the outside,
		unlabeled world. To do this there's a special file /smack/netlabel where you can
		add some exceptions in the form of :
		@IP1 LABEL1 or
		@IP2/MASK LABEL2

		It means that your application will have unlabeled access to @IP1 if it has
		write access on LABEL1, and access to the subnet @IP2/MASK if it has write
		access on LABEL2.

		Entries in the /smack/netlabel file are matched by longest mask first, like in
		classless IPv4 routing.

		A special label '@' and an option '-CIPSO' can be used there :
		@ means Internet, any application with any label has access to it
		-CIPSO means standard CIPSO networking

		If you don't know what CIPSO is and don't plan to use it, you can just do :
		echo 127.0.0.1 -CIPSO > /smack/netlabel
		echo 0.0.0.0/0 @ > /smack/netlabel

		If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
		Internet access, you can have :
		echo 127.0.0.1 -CIPSO > /smack/netlabel
		echo 192.168.0.0/16 -CIPSO > /smack/netlabel
		echo 0.0.0.0/0 @ > /smack/netlabel


		Writing Applications for Smack

		There are three sorts of applications that will run on a Smack system. How an

Documentation/feature-removal-schedule.txt

+0 −11

Original line number	Diff line number	Diff line
		@@ -356,17 +356,6 @@ Who: Hans de Goede <hdegoede@redhat.com>

		---------------------------

		What: SELinux "compat_net" functionality
		When: 2.6.30 at the earliest
		Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
		network access control functionality of SELinux. Secmark offers both
		better performance and greater flexibility than the "compat_net"
		mechanism. Now that the major Linux distributions have moved to
		Secmark, it is time to deprecate the older mechanism and start the
		process of removing the old code.
		Who: Paul Moore <paul.moore@hp.com>
		---------------------------

		What: sysfs ui for changing p4-clockmod parameters
		When: September 2009
		Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and

Documentation/kernel-parameters.txt

+0 −9

Original line number	Diff line number	Diff line
		@@ -2030,15 +2030,6 @@ and is between 256 and 4096 characters. It is defined in the file
		If enabled at boot time, /selinux/disable can be used
		later to disable prior to initial policy load.

		selinux_compat_net =
		[SELINUX] Set initial selinux_compat_net flag value.
		Format: { "0" \| "1" }
		0 -- use new secmark-based packet controls
		1 -- use legacy packet controls
		Default value is 0 (preferred).
		Value can be changed at runtime via
		/selinux/compat_net.

		serialnumber [BUGS=X86-32]

		shapers= [NET]

include/linux/security.h

+0 −13

Original line number	Diff line number	Diff line
		@@ -880,11 +880,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
		* @sock contains the listening socket structure.
		* @newsock contains the newly created server socket for connection.
		* Return 0 if permission is granted.
		* @socket_post_accept:
		* This hook allows a security module to copy security
		* information into the newly created socket's inode.
		* @sock contains the listening socket structure.
		* @newsock contains the newly created server socket for connection.
		* @socket_sendmsg:
		* Check permission before transmitting a message to another socket.
		* @sock contains the socket structure.
		@@ -1554,8 +1549,6 @@ struct security_operations {
		struct sockaddr *address, int addrlen);
		int (socket_listen) (struct socket sock, int backlog);
		int (socket_accept) (struct socket sock, struct socket *newsock);
		void (socket_post_accept) (struct socket sock,
		struct socket *newsock);
		int (socket_sendmsg) (struct socket sock,
		struct msghdr *msg, int size);
		int (socket_recvmsg) (struct socket sock,
		@@ -2537,7 +2530,6 @@ int security_socket_bind(struct socket sock, struct sockaddr address, int addr
		int security_socket_connect(struct socket sock, struct sockaddr address, int addrlen);
		int security_socket_listen(struct socket *sock, int backlog);
		int security_socket_accept(struct socket sock, struct socket newsock);
		void security_socket_post_accept(struct socket sock, struct socket newsock);
		int security_socket_sendmsg(struct socket sock, struct msghdr msg, int size);
		int security_socket_recvmsg(struct socket sock, struct msghdr msg,
		int size, int flags);
		@@ -2616,11 +2608,6 @@ static inline int security_socket_accept(struct socket *sock,
		return 0;
		}

		static inline void security_socket_post_accept(struct socket *sock,
		struct socket *newsock)
		{
		}

		static inline int security_socket_sendmsg(struct socket *sock,
		struct msghdr *msg, int size)
		{

include/net/cipso_ipv4.h

+17 −0

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@
		#include <linux/net.h>
		#include <linux/skbuff.h>
		#include <net/netlabel.h>
		#include <net/request_sock.h>
		#include <asm/atomic.h>

		/* known doi values */
		@@ -215,6 +216,10 @@ int cipso_v4_sock_setattr(struct sock *sk,
		const struct netlbl_lsm_secattr *secattr);
		void cipso_v4_sock_delattr(struct sock *sk);
		int cipso_v4_sock_getattr(struct sock sk, struct netlbl_lsm_secattr secattr);
		int cipso_v4_req_setattr(struct request_sock *req,
		const struct cipso_v4_doi *doi_def,
		const struct netlbl_lsm_secattr *secattr);
		void cipso_v4_req_delattr(struct request_sock *req);
		int cipso_v4_skbuff_setattr(struct sk_buff *skb,
		const struct cipso_v4_doi *doi_def,
		const struct netlbl_lsm_secattr *secattr);
		@@ -247,6 +252,18 @@ static inline int cipso_v4_sock_getattr(struct sock *sk,
		return -ENOSYS;
		}

		static inline int cipso_v4_req_setattr(struct request_sock *req,
		const struct cipso_v4_doi *doi_def,
		const struct netlbl_lsm_secattr *secattr)
		{
		return -ENOSYS;
		}

		static inline void cipso_v4_req_delattr(struct request_sock *req)
		{
		return;
		}

		static inline int cipso_v4_skbuff_setattr(struct sk_buff *skb,
		const struct cipso_v4_doi *doi_def,
		const struct netlbl_lsm_secattr *secattr)