Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a205752d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  selinux: preserve boolean values across policy reloads
  selinux: change numbering of boolean directory inodes in selinuxfs
  selinux: remove unused enumeration constant from selinuxfs
  selinux: explicitly number all selinuxfs inodes
  selinux: export initial SID contexts via selinuxfs
  selinux: remove userland security class and permission definitions
  SELinux: move security_skb_extlbl_sid() out of the security server
  MAINTAINERS: update selinux entry
  SELinux: rename selinux_netlabel.h to netlabel.h
  SELinux: extract the NetLabel SELinux support from the security server
  NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
  NetLabel: cleanup and document CIPSO constants
parents 39bc89fd e900a7d9

MAINTAINERS

+3 −1
Original line number Diff line number Diff line
@@ -2980,8 +2980,10 @@ P: Stephen Smalley 
M:	sds@tycho.nsa.gov

P:	James Morris

M:	jmorris@namei.org

P:	Eric Paris

M:	eparis@parisplace.org

L:	linux-kernel@vger.kernel.org (kernel issues)

L: 	selinux@tycho.nsa.gov (general discussion)

L: 	selinux@tycho.nsa.gov (subscribers-only, general discussion)

W:	http://www.nsa.gov/selinux

S:	Supported

net/ipv4/cipso_ipv4.c

+32 −9
Original line number Diff line number Diff line
@@ -91,6 +91,33 @@ static struct cipso_v4_map_cache_bkt *cipso_v4_cache = NULL; 
int cipso_v4_rbm_optfmt = 0;

int cipso_v4_rbm_strictvalid = 1;



/*

 * Protocol Constants

 */



/* Maximum size of the CIPSO IP option, derived from the fact that the maximum

 * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */

#define CIPSO_V4_OPT_LEN_MAX          40



/* Length of the base CIPSO option, this includes the option type (1 byte), the

 * option length (1 byte), and the DOI (4 bytes). */

#define CIPSO_V4_HDR_LEN              6



/* Base length of the restrictive category bitmap tag (tag #1). */

#define CIPSO_V4_TAG_RBM_BLEN         4



/* Base length of the enumerated category tag (tag #2). */

#define CIPSO_V4_TAG_ENUM_BLEN        4



/* Base length of the ranged categories bitmap tag (tag #5). */

#define CIPSO_V4_TAG_RNG_BLEN         4

/* The maximum number of category ranges permitted in the ranged category tag

 * (tag #5).  You may note that the IETF draft states that the maximum number

 * of category ranges is 7, but if the low end of the last category range is

 * zero then it is possibile to fit 8 category ranges because the zero should

 * be omitted. */

#define CIPSO_V4_TAG_RNG_CAT_MAX      8



/*

 * Helper Functions

 */
@@ -1109,16 +1136,15 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def, 
				     unsigned char *net_cat,

				     u32 net_cat_len)

{

	/* The constant '16' is not random, it is the maximum number of

	 * high/low category range pairs as permitted by the CIPSO draft based

	 * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion

	 * does a sanity check to make sure we don't overflow the array. */

	int iter = -1;

	u16 array[16];

	u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];

	u32 array_cnt = 0;

	u32 cat_size = 0;



	BUG_ON(net_cat_len > 30);

	/* make sure we don't overflow the 'array[]' variable */

	if (net_cat_len >

	    (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))

		return -ENOSPC;



	for (;;) {

		iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);
@@ -1196,9 +1222,6 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def, 
 * Protocol Handling Functions

 */



#define CIPSO_V4_OPT_LEN_MAX          40

#define CIPSO_V4_HDR_LEN              6



/**

 * cipso_v4_gentag_hdr - Generate a CIPSO option header

 * @doi_def: the DOI definition

net/netlabel/netlabel_kapi.c

+0 −3
Original line number Diff line number Diff line
@@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct socket *sock, 
	int ret_val = -ENOENT;

	struct netlbl_dom_map *dom_entry;



	if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)

		return -ENOENT;



	rcu_read_lock();

	dom_entry = netlbl_domhsh_getentry(secattr->domain);

	if (dom_entry == NULL)

security/selinux/Makefile

+2 −0
Original line number Diff line number Diff line
@@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o 


selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o



selinux-$(CONFIG_NETLABEL) += netlabel.o



EXTRA_CFLAGS += -Isecurity/selinux/include

security/selinux/avc.c

+2 −0
Original line number Diff line number Diff line
@@ -217,6 +217,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla 
		audit_log_format(ab, " tcontext=%s", scontext);

		kfree(scontext);

	}



	BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);

	audit_log_format(ab, " tclass=%s", class_to_string[tclass]);

}