Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.18.15 2014-09-10T21:09:57+00:00 2014-09-10T21:09:57+00:00 Paul Moore pmoore@redhat.com 2014-09-10T21:09:57+00:00 urn:sha1:cbe0d6e8794f1da6cac1ea3864d2cfaf0bf87c8e While SELinux largely ignores namespaces, for good reason, there are some places where it needs to at least be aware of namespaces in order to function correctly. Network namespaces are one example. Basic awareness of network namespaces are necessary in order to match a network interface's index number to an actual network device. This patch corrects a problem with network interfaces added to a non-init namespace, and can be reproduced with the following commands: [NOTE: the NetLabel configuration is here only to active the dynamic networking controls ] # netlabelctl unlbl add default address:0.0.0.0/0 \ label:system_u:object_r:unlabeled_t:s0 # netlabelctl unlbl add default address:::/0 \ label:system_u:object_r:unlabeled_t:s0 # netlabelctl cipsov4 add pass doi:100 tags:1 # netlabelctl map add domain:lspp_test_netlabel_t \ protocol:cipsov4,100 # ip link add type veth # ip netns add myns # ip link set veth1 netns myns # ip a add dev veth0 10.250.13.100/24 # ip netns exec myns ip a add dev veth1 10.250.13.101/24 # ip l set veth0 up # ip netns exec myns ip l set veth1 up # ping -c 1 10.250.13.101 # ip netns exec myns ping -c 1 10.250.13.100 Reported-by: Jiri Jaburek <jjaburek@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-08-05T19:44:22+00:00 Paul Moore pmoore@redhat.com 2014-08-05T19:44:22+00:00 urn:sha1:aa9e0de81b5b257f6dae48efe2ed5f255f066497 Linux 3.16 2014-06-26T18:33:56+00:00 Paul Moore pmoore@redhat.com 2014-06-26T18:33:56+00:00 urn:sha1:615e51fdda6f274e94b1e905fcaf6111e0d9aa20 When flushing the AVC, such as during a policy load, the various network caches are also flushed, with each making a call to synchronize_net() which has shown to be expensive in some cases. This patch consolidates the network cache flushes into a single AVC callback which only calls synchronize_net() once for each AVC cache flush. Reported-by: Jaejyn Shin <flagon22bass@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-06-18T20:59:34+00:00 Gideon Israel Dsouza gidisrael@gmail.com 2014-06-11T15:55:30+00:00 urn:sha1:4bb9398300a3a2c691e5c0ad6b9cfa78775e767e To increase compiler portability there is <linux/compiler.h> which provides convenience macros for various gcc constructs. Eg: __packed for __attribute__((packed)). This patch is part of a large task I've taken to clean the gcc specific attributes and use the the macros instead. Signed-off-by: Gideon Israel Dsouza <gidisrael@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-06-17T21:30:23+00:00 Paul Moore pmoore@redhat.com 2014-06-17T21:30:23+00:00 urn:sha1:170b5910d9fbea79de1bb40df22eda5f98250c0c Linux 3.15 2014-06-12T21:27:40+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-06-12T21:27:40+00:00 urn:sha1:f9da455b93f6ba076935b4ef4589f61e529ae046 Pull networking updates from David Miller: 1) Seccomp BPF filters can now be JIT'd, from Alexei Starovoitov. 2) Multiqueue support in xen-netback and xen-netfront, from Andrew J Benniston. 3) Allow tweaking of aggregation settings in cdc_ncm driver, from Bjørn Mork. 4) BPF now has a "random" opcode, from Chema Gonzalez. 5) Add more BPF documentation and improve test framework, from Daniel Borkmann. 6) Support TCP fastopen over ipv6, from Daniel Lee. 7) Add software TSO helper functions and use them to support software TSO in mvneta and mv643xx_eth drivers. From Ezequiel Garcia. 8) Support software TSO in fec driver too, from Nimrod Andy. 9) Add Broadcom SYSTEMPORT driver, from Florian Fainelli. 10) Handle broadcasts more gracefully over macvlan when there are large numbers of interfaces configured, from Herbert Xu. 11) Allow more control over fwmark used for non-socket based responses, from Lorenzo Colitti. 12) Do TCP congestion window limiting based upon measurements, from Neal Cardwell. 13) Support busy polling in SCTP, from Neal Horman. 14) Allow RSS key to be configured via ethtool, from Venkata Duvvuru. 15) Bridge promisc mode handling improvements from Vlad Yasevich. 16) Don't use inetpeer entries to implement ID generation any more, it performs poorly, from Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1522 commits) rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 tcp: fixing TLP's FIN recovery net: fec: Add software TSO support net: fec: Add Scatter/gather support net: fec: Increase buffer descriptor entry number net: fec: Factorize feature setting net: fec: Enable IP header hardware checksum net: fec: Factorize the .xmit transmit function bridge: fix compile error when compiling without IPv6 support bridge: fix smatch warning / potential null pointer dereference via-rhine: fix full-duplex with autoneg disable bnx2x: Enlarge the dorq threshold for VFs bnx2x: Check for UNDI in uncommon branch bnx2x: Fix 1G-baseT link bnx2x: Fix link for KR with swapped polarity lane sctp: Fix sk_ack_backlog wrap-around problem net/core: Add VF link state control policy net/fsl: xgmac_mdio is dependent on OF_MDIO net/fsl: Make xgmac_mdio read error message useful net_sched: drr: warn when qdisc is not work conserving ... 2014-06-10T17:05:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-06-10T17:05:36+00:00 urn:sha1:fad0701eaa091beb8ce5ef2eef04b5e833617368 Pull security layer updates from Serge Hallyn: "This is a merge of James Morris' security-next tree from 3.14 to yesterday's master, plus four patches from Paul Moore which are in linux-next, plus one patch from Mimi" * 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security: ima: audit log files opened with O_DIRECT flag selinux: conditionally reschedule in hashtab_insert while loading selinux policy selinux: conditionally reschedule in mls_convert_context while loading selinux policy selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES selinux: Report permissive mode in avc: denied messages. Warning in scanf string typing Smack: Label cgroup files for systemd Smack: Verify read access on file open - v3 security: Convert use of typedef ctl_table to struct ctl_table Smack: bidirectional UDS connect check Smack: Correctly remove SMACK64TRANSMUTE attribute SMACK: Fix handling value==NULL in post setxattr bugfix patch for SMACK Smack: adds smackfs/ptrace interface Smack: unify all ptrace accesses in the smack Smack: fix the subject/object order in smack_ptrace_traceme() Minor improvement of 'smack_sb_kern_mount' smack: fix key permission verification KEYS: Move the flags representing required permission to linux/key.h 2014-06-03T19:21:48+00:00 Stephen Smalley sds@tycho.nsa.gov 2014-04-29T18:29:04+00:00 urn:sha1:ca7786a2f916540931d7114d441efa141c99c898 We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-05-01T18:56:14+00:00 Stephen Smalley sds@tycho.nsa.gov 2014-04-29T18:29:04+00:00 urn:sha1:626b9740fa73cad043e136bfb3b6fca68a4f8a7c We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-04-23T01:42:27+00:00 Richard Guy Briggs rgb@redhat.com 2014-04-23T01:31:56+00:00 urn:sha1:3a101b8de0d39403b2c7e5c23fd0b005668acf48 Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>