The udp-tunnel setup allows binding sockets to a network device. Prefer
the new SO_BINDTOIFINDEX to avoid temporarily resolving the device-name
just to look it up in the ioctl again.
Reviewed-by: Tom Gundersen
Signed-off-by: David Herrmann
---
v2:
- Rename to SO_BINDTOIFINDEX from SO_BINDTOIF
depend on
the name and can run network setup of dormant devices in parallel to
the transition off the initrd. The SO_BINDTOIFINDEX ioctl plugs this
race.
Reviewed-by: Tom Gundersen
Signed-off-by: David Herrmann
---
v2:
- Rename to SO_BINDTOIFINDEX from SO_BINDTOIF
- skip 0x0040 SO-value on sparc
The udp-tunnel setup allows binding sockets to a network device. Prefer
the new SO_BINDTOIFINDEX to avoid temporarily resolving the device-name
just to look it up in the ioctl again.
Reviewed-by: Tom Gundersen
Signed-off-by: David Herrmann
---
v2:
- Rename to SO_BINDTOIFINDEX from SO_BINDTOIF
Hi
On Thu, Jan 10, 2019 at 5:38 PM David Ahern wrote:
>
> On 1/10/19 7:25 AM, David Herrmann wrote:
> > This introduces a new generic SOL_SOCKET-level socket option called
> > SO_BINDTOIF. It behaves similar to SO_BINDTODEVICE, but takes a network
> > interface index as a
The udp-tunnel setup allows binding sockets to a network device. Prefer
the new SO_BINDTOIF to avoid temporarily resolving the device-name just
to look it up in the ioctl again.
Signed-off-by: David Herrmann
---
net/ipv6/ip6_udp_tunnel.c | 15 +++
1 file changed, 3 insertions(+), 12
on
the name and can run network setup of dormant devices in parallel to
the transition off the initrd. The SO_BINDTOIF ioctl plugs this race.
Signed-off-by: David Herrmann
---
arch/alpha/include/uapi/asm/socket.h | 2 ++
arch/ia64/include/uapi/asm/socket.h | 2 ++
arch/mips/include/uapi/asm
The udp-tunnel setup allows binding sockets to a network device. Prefer
the new SO_BINDTOIF to avoid temporarily resolving the device-name just
to look it up in the ioctl again.
Signed-off-by: David Herrmann
---
net/ipv4/udp_tunnel.c | 15 +++
1 file changed, 3 insertions(+), 12
://www.spinics.net/lists/selinux/msg22674.html
David Herrmann (3):
security: add hook for socketpair()
net: hook socketpair() into LSM
selinux: provide socketpair callback
Tom Gundersen (1):
smack: provide socketpair callback
include/linux/lsm_hooks.h | 7 +++
include/linux
Make sure to implement the new socketpair callback so the SO_PEERSEC
call on socketpair(2)s will return correct information.
Acked-by: Serge Hallyn
Acked-by: Stephen Smalley
Signed-off-by: Tom Gundersen
Signed-off-by: David Herrmann
---
security/selinux/hooks.c | 13 +
1 file
igned-off-by: David Herrmann
---
include/linux/lsm_hooks.h | 7 +++
include/linux/security.h | 7 +++
security/security.c | 6 ++
3 files changed, 20 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9d0b286f3dba..8f1131c8dd54 100644
--- a/in
From: Tom Gundersen
Make sure to implement the new socketpair callback so the SO_PEERSEC
call on socketpair(2)s will return correct information.
Signed-off-by: Tom Gundersen
Signed-off-by: David Herrmann
---
security/smack/smack_lsm.c | 22 ++
1 file changed, 22
Use the newly created LSM-hook for socketpair(). The default hook
return-value is 0, so behavior stays the same unless LSMs start using
this hook.
Acked-by: Serge Hallyn
Signed-off-by: Tom Gundersen
Signed-off-by: David Herrmann
---
net/socket.c | 7 +++
1 file changed, 7 insertions
Hey
On Wed, Apr 25, 2018 at 9:02 PM, James Morris wrote:
> On Wed, 25 Apr 2018, Paul Moore wrote:
>
>> On Wed, Apr 25, 2018 at 2:44 PM, James Morris wrote:
>> > On Mon, 23 Apr 2018, David Herrmann wrote:
>> >> This patch series tries to close this gap and makes
/master/src/util/test-peersec.c
[2] https://www.spinics.net/lists/selinux/msg22674.html
David Herrmann (3):
security: add hook for socketpair(AF_UNIX, ...)
net/unix: hook unix_socketpair() into LSM
selinux: provide unix_stream_socketpair callback
include/linux/lsm_hooks.h | 8
Make sure to implement the new unix_stream_socketpair callback so the
SO_PEERSEC call on socketpair(2)s will return correct information.
Signed-off-by: David Herrmann
---
security/selinux/hooks.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/security/selinux/hooks.c b
is is unexpected and makes
socketpair() less useful in situations where the security context is
crucial to the application.
With the new socketpair-hook this disparity can be solved by making
socketpair() return the expected security context.
Signed-off-by: David Herrmann
---
include/linux/lsm_ho
Use the newly created LSM-hook for unix_socketpair(). The default hook
return-value is 0, so behavior stays the same unless LSMs start using
this hook.
Signed-off-by: David Herrmann
---
net/unix/af_unix.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix
with ETOOMANYREFS if a client
maliciously modifies the FD while inflight.
Cc: Alban Crequy
Cc: Simon McVittie
Signed-off-by: David Herrmann
---
include/net/af_unix.h | 1 -
net/unix/af_unix.c| 24 +---
2 files changed, 1 insertion(+), 24 deletions(-)
diff --git a/inc
ccess-management based on groups) work without resorting
to the user/group database. This new SO_PEERGROUPS ioctl would allow us
to make dbus-daemon work without ever calling into NSS.
Cc: Michal Sekletar
Cc: Simon McVittie
Reviewed-by: Tom Gundersen
Signed-off-by: David Herrmann
---
v2:
- rebase o
ccess-management based on groups) work without resorting
to the user/group database. This new SO_PEERGROUPS ioctl would allow us
to make dbus-daemon work without ever calling into NSS.
Cc: Michal Sekletar
Cc: Simon McVittie
Cc: Tom Gundersen
Signed-off-by: David Herrmann
---
arch/alpha/include/uap
Hi
On Sat, Jan 14, 2017 at 5:55 PM, Alexei Starovoitov wrote:
> Another alternative is to extend samples/bpf/map_perf_test
> It has perf tests for most map types today (including lru)
> and trie would be natural addition there.
> I would prefer this latter option.
I hooked into gettid() and inst
Hi
On Wed, Feb 3, 2016 at 12:36 PM, Simon McVittie
wrote:
> Am I right in saying that the advice I give to D-Bus users should be
> something like this?
>
> * system services should not send fds at all, unless they trust the
> dbus-daemon
> * system services should not send fds via D-Bus that wi
Hi
On Sun, Jan 10, 2016 at 7:54 AM, Willy Tarreau wrote:
> It is possible for a process to allocate and accumulate far more FDs than
> the process' limit by sending them over a unix socket then closing them
> to keep the process' fd count low.
>
> This change addresses this problem by keeping tra
Signed-off-by: David Herrmann
---
net/unix/af_unix.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c5bf5ef..9f88193 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1534,7 +1534,6 @@ static int unix_attach_fds(struct
Hi
On Fri, Nov 13, 2015 at 3:20 PM, Dan Carpenter wrote:
> This condition doesn't work when len is smaller than expected and not a
> multiple of 4. In that situation "len - pos" is negative and type
> promoted to a high unsigned value and we do not break out of the loop.
> It causes the program
below handle_mm_fault().
Fix this by reducing locking of NETLINK_LIST_MEMBERSHIPS to a read-side
lock. The write-lock was overkill in the first place, and the read-lock
allows page-faults just fine.
Cc: # 4.2+
Reported-by: Dmitry Vyukov
Signed-off-by: David Herrmann
---
net/netlink
-space can retry with a properly sized array in case it was too small.
Signed-off-by: David Herrmann
---
v2:
- rebase on top of net-next
conflict due to 59324cf35ab ('netlink: allow to listen "all" netns')
include/uapi/linux/netlink.h | 17 +
net/netlink/a
-space can retry with a properly sized array in case it was too small.
Signed-off-by: David Herrmann
---
include/uapi/linux/netlink.h | 15 ---
net/netlink/af_netlink.c | 22 ++
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/include/uapi/linux
28 matches
Mail list logo
