* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
selinux: preserve boolean values across policy reloads
selinux: change numbering of boolean directory inodes in selinuxfs
selinux: remove unused enumeration constant from selinuxfs
selinux: explicitly number all selinuxfs inodes
selinux: export initial SID contexts via selinuxfs
selinux: remove userland security class and permission definitions
SELinux: move security_skb_extlbl_sid() out of the security server
MAINTAINERS: update selinux entry
SELinux: rename selinux_netlabel.h to netlabel.h
SELinux: extract the NetLabel SELinux support from the security server
NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
NetLabel: cleanup and document CIPSO constants
APPLETALK NETWORK LAYER
P: Arnaldo Carvalho de Melo
-M: acme@conectiva.com.br
+M: acme@ghostprotocols.net
S: Maintained
ARC FRAMEBUFFER DRIVER
ATMEL WIRELESS DRIVER
P: Simon Kelley
M: simon@thekelleys.org.uk
+L: linux-wireless@vger.kernel.org
W: http://www.thekelleys.org.uk/atmel
W: http://atmelwlandriver.sourceforge.net/
S: Maintained
M: Larry.Finger@lwfinger.net
P: Stefano Brivio
M: st3@riseup.net
+L: linux-wireless@vger.kernel.org
W: http://bcm43xx.berlios.de/
S: Maintained
L: linux-kernel@vger.kernel.org
S: Maintained
+CFG80211 and NL80211
+P: Johannes Berg
+M: johannes@sipsolutions.net
+L: linux-wireless@vger.kernel.org
+S: Maintained
+
COMMON INTERNET FILE SYSTEM (CIFS)
P: Steve French
M: sfrench@samba.org
CYCLADES 2X SYNC CARD DRIVER
P: Arnaldo Carvalho de Melo
-M: acme@conectiva.com.br
-W: http://advogato.org/person/acme
-L: cycsyn-devel@bazar.conectiva.com.br
+M: acme@ghostprotocols.net
+W: http://oops.ghostprotocols.net:81/blog
S: Maintained
CYCLADES ASYNC MUX DRIVER
DCCP PROTOCOL
P: Arnaldo Carvalho de Melo
-M: acme@mandriva.com
+M: acme@ghostprotocols.net
L: dccp@vger.kernel.org
W: http://linux-net.osdl.org/index.php/DCCP
S: Maintained
HOST AP DRIVER
P: Jouni Malinen
M: jkmaline@cc.hut.fi
+L: linux-wireless@vger.kernel.org
L: hostap@shmoo.com
W: http://hostap.epitest.fi/
S: Maintained
M: yi.zhu@intel.com
P: James Ketrenos
M: jketreno@linux.intel.com
+L: linux-wireless@vger.kernel.org
L: ipw2100-devel@lists.sourceforge.net
L: http://lists.sourceforge.net/mailman/listinfo/ipw2100-devel
W: http://ipw2100.sourceforge.net
M: yi.zhu@intel.com
P: James Ketrenos
M: jketreno@linux.intel.com
+L: linux-wireless@vger.kernel.org
L: ipw2100-devel@lists.sourceforge.net
L: http://lists.sourceforge.net/mailman/listinfo/ipw2100-devel
W: http://ipw2200.sourceforge.net
IPX NETWORK LAYER
P: Arnaldo Carvalho de Melo
-M: acme@conectiva.com.br
+M: acme@ghostprotocols.net
L: netdev@vger.kernel.org
S: Maintained
LLC (802.2)
P: Arnaldo Carvalho de Melo
-M: acme@conectiva.com.br
+M: acme@ghostprotocols.net
S: Maintained
LINUX FOR 64BIT POWERPC
T: git git://git.infradead.org/mtd-2.6.git
S: Maintained
+UNSORTED BLOCK IMAGES (UBI)
+P: Artem Bityutskiy
+M: dedekind@infradead.org
+W: http://www.linux-mtd.infradead.org/
+L: linux-mtd@lists.infradead.org
+T: git git://git.infradead.org/ubi-2.6.git
+S: Maintained
+
MICROTEK X6 SCANNER
P: Oliver Neukum
M: oliver@neukum.name
M: proski@gnu.org
P: David Gibson
M: hermes@gibson.dropbear.id.au
+L: linux-wireless@vger.kernel.org
L: orinoco-users@lists.sourceforge.net
L: orinoco-devel@lists.sourceforge.net
W: http://www.nongnu.org/orinoco/
PRISM54 WIRELESS DRIVER
P: Prism54 Development Team
M: developers@islsm.org
-L: netdev@vger.kernel.org
+L: linux-wireless@vger.kernel.org
W: http://prism54.org
S: Maintained
RAYLINK/WEBGEAR 802.11 WIRELESS LAN DRIVER
P: Corey Thomas
M: corey@world.std.com
-L: linux-kernel@vger.kernel.org
+L: linux-wireless@vger.kernel.org
S: Maintained
RANDOM NUMBER DRIVER
M: sds@tycho.nsa.gov
P: James Morris
M: jmorris@namei.org
+ P: Eric Paris
+ M: eparis@parisplace.org
L: linux-kernel@vger.kernel.org (kernel issues)
- L: selinux@tycho.nsa.gov (general discussion)
+ L: selinux@tycho.nsa.gov (subscribers-only, general discussion)
W: http://www.nsa.gov/selinux
S: Supported
P: Daniel Drake
M: dsd@gentoo.org
W: http://softmac.sipsolutions.net/
-L: netdev@vger.kernel.org
+L: linux-wireless@vger.kernel.org
S: Maintained
SOFTWARE RAID (Multiple Disks) SUPPORT
WAVELAN NETWORK DRIVER & WIRELESS EXTENSIONS
P: Jean Tourrilhes
M: jt@hpl.hp.com
+L: linux-wireless@vger.kernel.org
W: http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
S: Maintained
WL3501 WIRELESS PCMCIA CARD DRIVER
P: Arnaldo Carvalho de Melo
-M: acme@conectiva.com.br
-W: http://advogato.org/person/acme
+M: acme@ghostprotocols.net
+L: linux-wireless@vger.kernel.org
+W: http://oops.ghostprotocols.net:81/blog
S: Maintained
X.25 NETWORK LAYER
P: Ulrich Kunitz
M: kune@deine-taler.de
W: http://zd1211.ath.cx/wiki/DriverRewrite
+L: linux-wireless@vger.kernel.org
L: zd1211-devs@lists.sourceforge.net (subscribers-only)
S: Maintained
int cipso_v4_rbm_optfmt = 0;
int cipso_v4_rbm_strictvalid = 1;
+ /*
+ * Protocol Constants
+ */
+
+ /* Maximum size of the CIPSO IP option, derived from the fact that the maximum
+ * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
+ #define CIPSO_V4_OPT_LEN_MAX 40
+
+ /* Length of the base CIPSO option, this includes the option type (1 byte), the
+ * option length (1 byte), and the DOI (4 bytes). */
+ #define CIPSO_V4_HDR_LEN 6
+
+ /* Base length of the restrictive category bitmap tag (tag #1). */
+ #define CIPSO_V4_TAG_RBM_BLEN 4
+
+ /* Base length of the enumerated category tag (tag #2). */
+ #define CIPSO_V4_TAG_ENUM_BLEN 4
+
+ /* Base length of the ranged categories bitmap tag (tag #5). */
+ #define CIPSO_V4_TAG_RNG_BLEN 4
+ /* The maximum number of category ranges permitted in the ranged category tag
+ * (tag #5). You may note that the IETF draft states that the maximum number
+ * of category ranges is 7, but if the low end of the last category range is
+ * zero then it is possibile to fit 8 category ranges because the zero should
+ * be omitted. */
+ #define CIPSO_V4_TAG_RNG_CAT_MAX 8
+
/*
* Helper Functions
*/
unsigned char *net_cat,
u32 net_cat_len)
{
- /* The constant '16' is not random, it is the maximum number of
- * high/low category range pairs as permitted by the CIPSO draft based
- * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion
- * does a sanity check to make sure we don't overflow the array. */
int iter = -1;
- u16 array[16];
+ u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
u32 array_cnt = 0;
u32 cat_size = 0;
- BUG_ON(net_cat_len > 30);
+ /* make sure we don't overflow the 'array[]' variable */
+ if (net_cat_len >
+ (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
+ return -ENOSPC;
for (;;) {
iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);
u16 cat_low;
u16 cat_high;
- for(net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
+ for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) {
cat_high = ntohs(*((__be16 *)&net_cat[net_iter]));
if ((net_iter + 4) <= net_cat_len)
cat_low = ntohs(*((__be16 *)&net_cat[net_iter + 2]));
* Protocol Handling Functions
*/
- #define CIPSO_V4_OPT_LEN_MAX 40
- #define CIPSO_V4_HDR_LEN 6
-
/**
* cipso_v4_gentag_hdr - Generate a CIPSO option header
* @doi_def: the DOI definition
*/
void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
{
- if (skb->nh.iph->protocol == IPPROTO_ICMP || error != -EACCES)
+ if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
return;
if (gateway)
#include "objsec.h"
#include "netif.h"
#include "xfrm.h"
- #include "selinux_netlabel.h"
+ #include "netlabel.h"
#define XATTR_SELINUX_SUFFIX "selinux"
#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
int offset, ihlen, ret = -EINVAL;
struct iphdr _iph, *ih;
- offset = skb->nh.raw - skb->data;
+ offset = skb_network_offset(skb);
ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
if (ih == NULL)
goto out;
int ret = -EINVAL, offset;
struct ipv6hdr _ipv6h, *ip6;
- offset = skb->nh.raw - skb->data;
+ offset = skb_network_offset(skb);
ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
if (ip6 == NULL)
goto out;
return ret;
}
+ /**
+ * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
+ * @sid: the packet's SID
+ *
+ * Description:
+ * Check the various different forms of external packet labeling and determine
+ * the external SID for the packet.
+ *
+ */
+ static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+ {
+ u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ if (selinux_netlbl_skbuff_getsid(skb,
+ (xfrm_sid == SECSID_NULL ?
+ base_sid : xfrm_sid),
+ &nlbl_sid) != 0)
+ nlbl_sid = SECSID_NULL;
+
+ *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+ }
+
/* socket security operations */
static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms)
if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- security_skb_extlbl_sid(skb,
- SECINITSID_UNLABELED,
- &peer_secid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
if (peer_secid == SECSID_NULL)
err = -EINVAL;
u32 newsid;
u32 peersid;
- security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
req->peer_secid = SECSID_NULL;
{
struct sk_security_struct *sksec = sk->sk_security;
- security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
+ selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
}
static void selinux_req_classify_flow(const struct request_sock *req,
err = -EINVAL;
goto out;
}
- nlh = (struct nlmsghdr *)skb->data;
+ nlh = nlmsg_hdr(skb);
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
if (err) {