The SELinux GTP implementation is explained in:
Documentation/security/GTP.rst
Signed-off-by: Richard Haines
---
Documentation/security/GTP.rst | 61 ++
security/selinux/hooks.c| 66 +
security/selinux/include/classmap.h | 2
that it is visible to the LSM modules for storing the security blob.
2) Remove pr_debug's from gtp.c security_* calls.
3) Minor GTP.rst updates.
4) Added netdev to distribution list.
Richard Haines (3):
security: Add GPRS Tunneling Protocol (GTP) security hooks
gtp: Add LSM hooks to
The GTP security hooks are explained in:
Documentation/security/GTP.rst
Signed-off-by: Richard Haines
---
Documentation/security/GTP.rst | 39
Documentation/security/index.rst | 1 +
include/linux/lsm_hook_defs.h| 3 +++
include/linux/lsm_hooks.h
Add security hooks to allow security modules to exercise access control
over GTP.
The 'struct gtp_dev' has been moved to include/net/gtp.h so that
it is visible to LSM security modules where their security blob
is stored.
Signed-off-by: Richard Haines
---
drivers/net/
On Tue, 2020-10-13 at 09:55 -0400, Paul Moore wrote:
> On Mon, Oct 12, 2020 at 5:40 AM Harald Welte
> wrote:
> > Hi Paul,
> >
> > On Sun, Oct 11, 2020 at 10:09:11PM -0400, Paul Moore wrote:
> > > Harald, Pablo - I know you both suggested taking a slow iterative
> > > approach to merging functiona
Open 5G I thought
adding MAC support might be useful somewhere along the line.
> however one comment from the point of view of somebody who is working
> on GGSN/P-GW
> software using the GTP kernel module:
>
> On Wed, Sep 30, 2020 at 10:49:34AM +0100, Richard Haines
On Wed, 2020-09-30 at 12:17 +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 30, 2020 at 10:49:31AM +0100, Richard Haines wrote:
> > These patches came about after looking at 5G open source in
> > particular
> > the updated 5G GTP driver at [1]. As this driver is still under
&
On Fri, 2018-05-11 at 20:15 +0300, Alexey Kodanev wrote:
> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks
> compatibility
> with the old programs that can pass sockaddr_in structure with
> AF_UNSPEC
> and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT
> error.
> This was f
ess family ;
returned -1 (expected -1), errno 22 (expected 97)
INFO: ltp-pan reported some tests FAIL
LTP Version: 20180118
Reported-by: Anders Roxell
Signed-off-by: Richard Haines
---
security/selinux/hooks.c | 42 ++
1 file changed, 30 insertions(+), 12 deleti
On Thu, 2018-03-01 at 13:03 -0500, Paul Moore wrote:
> On March 1, 2018 9:36:37 AM Richard Haines et.com> wrote:
> > On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> > > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > > ro.o
> > > rg> wrote:
> >
On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote:
> On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell rg> wrote:
> > Hi,
> >
> > I was running LTP's testcase connect01 [1] and found a regression
> > in linux-next
> > (next-20180301). Bisect gave me this patch as the problematic
> > patch (sha
> >
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests
pass.
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All "./sctp-tests run" obtained from: https://github.com/sctp/sctp-tests
pass.
gt; > wrote:
> > > > On Thu, Feb 15, 2018 at 09:15:40AM -0500, Neil Horman wrote:
> > > > > On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines
> > > > > wrote:
> > > > > > Add ip option support to allow LS
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/SELinux-sctp.rst | 157 ++
security/selinux/hooks.c| 280 +---
security/selinux/include
Add security hooks allowing security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 10
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +
net/sctp/sm_statefuns.c| 18 ++
net/sctp
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
include/net/sctp/sctp.h| 4 +++-
include/net/sctp/structs.h | 2 ++
net/sctp/chunk.c | 12 +++-
net/sctp/ipv6.c| 42
SCTP updates since
kernel 4.14.
[1] https://marc.info/?l=selinux&m=151061619115945&w=2
[2] https://marc.info/?l=selinux&m=150962470215797&w=2
[3] https://marc.info/?l=selinux&m=151198281817779&w=2
Richard Haines (4):
security: Add support for SCTP security hooks
sctp:
The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/LSM-sctp.rst | 175
include/linux/lsm_hooks.h | 36
include/linux/security.h| 25
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst
Signed-off-by: Richard Haines
---
V5 Change: Rework selinux_netlbl_socket_connect() and
selinux_netlbl_socket_connect_locked as requested by Paul.
Documentation/security/SELinux-sctp.rst | 157
On Wed, 2018-01-10 at 11:37 -0500, Paul Moore wrote:
> On Sat, Dec 30, 2017 at 12:20 PM, Richard Haines
> wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.rst
> >
> > Signed-off-by: Richard Haines
> > ---
The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/LSM-sctp.rst | 175
include/linux/lsm_hooks.h | 36
include/linux/security.h| 25
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/SELinux-sctp.rst | 157 ++
security/selinux/hooks.c| 280 +---
security/selinux/include
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
include/net/sctp/sctp.h| 4 +++-
include/net/sctp/structs.h | 2 ++
net/sctp/chunk.c | 13 -
net/sctp/ipv6.c| 42
Add security hooks to allow security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 10
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +
net/sctp/sm_statefuns.c| 18 ++
net/sctp
15945&w=2
[2] https://marc.info/?l=selinux&m=150962470215797&w=2
[3] https://marc.info/?l=selinux&m=151198281817779&w=2
Richard Haines (4):
security: Add support for SCTP security hooks
sctp: Add ip option support
sctp: Add LSM hooks
selinux:
On Fri, 2017-12-22 at 15:45 -0200, Marcelo Ricardo Leitner wrote:
> On Fri, Dec 22, 2017 at 09:20:45AM -0800, Casey Schaufler wrote:
> > On 12/22/2017 5:05 AM, Marcelo Ricardo Leitner wrote:
> > > From: Richard Haines
> > >
> > > The SCTP security hooks a
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst
Signed-off-by: Richard Haines
---
V2 Changes
Remove lock from selinux_sctp_assoc_request()
Fix selinux_sctp_sk_clone() kbuild test robot catch [1]
[1] https://marc.info/?l=selinux&m=151198281817779
On Tue, 2017-11-28 at 14:59 -0500, Stephen Smalley wrote:
> On Tue, 2017-11-28 at 14:39 -0500, Stephen Smalley wrote:
> > On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> > > The SELinux SCTP implementation is explained in:
> > > Documentatio
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 2 ++
net/sctp/chunk.c | 13 -
net/sctp/ipv6.c| 42
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/SELinux-sctp.rst | 104
security/selinux/hooks.c| 278 +---
security/selinux/include
Add security hooks to allow security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 10
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +
net/sctp/sm_statefuns.c| 18 ++
net/sctp
oc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.
[1] https://marc.info/?l=selinux&m=151061619115945&w=2
[2] https://marc.info/?l=selinux&m=1509624702157
The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines
---
Documentation/security/LSM-sctp.rst | 194
include/linux/lsm_hooks.h | 35 +++
include/linux/security.h| 25
On Mon, 2017-11-20 at 16:55 -0500, Paul Moore wrote:
> On Tue, Nov 14, 2017 at 4:52 PM, Richard Haines
> wrote:
> > On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
> > > On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
> > > wrote:
> > > > On Mon, 2
On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
> On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
> wrote:
> > On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> > > On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> > > wrote:
> > > > The S
On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.txt
> >
> > Signed-off-by: Richard Haines
> > ---
When resolving a fallback label, check the sk_buff version as it
is possible (e.g. SCTP) to have family = PF_INET6 while
receiving ip_hdr(skb)->version = 4.
Signed-off-by: Richard Haines
---
net/netlabel/netlabel_unlabeled.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/
On Mon, 2017-11-06 at 18:15 -0500, Paul Moore wrote:
> On Tue, Oct 17, 2017 at 9:58 AM, Richard Haines
> wrote:
> > Add support to label SCTP associations and cater for a situation
> > where
> > family = PF_INET6 with an ip_hdr(skb)->version = 4.
> >
On Tue, 2017-10-31 at 14:41 -0200, Marcelo Ricardo Leitner wrote:
> On Tue, Oct 17, 2017 at 03:02:47PM +0100, Richard Haines wrote:
> > The SCTP security hooks are explained in:
> > Documentation/security/LSM-sctp.txt
> >
> > Signed-off-by: Richard Haines
> > --
On Tue, 2017-10-31 at 15:06 -0200, Marcelo Ricardo Leitner wrote:
> Hello,
>
> On Tue, Oct 17, 2017 at 02:58:06PM +0100, Richard Haines wrote:
> > Add ip option support to allow LSM security modules to utilise
> > CIPSO/IPv4
> > and CALIPSO/IPv6 services.
> >
On Tue, 2017-10-31 at 15:16 -0200, Marcelo Ricardo Leitner wrote:
> On Tue, Oct 17, 2017 at 02:59:53PM +0100, Richard Haines wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.txt
> >
> > Signed-off-by: Richard Haines
On Fri, 2017-10-20 at 21:14 +0800, Xin Long wrote:
> On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
> wrote:
> > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> > > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > > > On Tue, Oct 17
On Fri, 2017-10-20 at 15:00 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-17 at 14:59 +0100, Richard Haines wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.txt
> >
> > Signed-off-by: Richard Haines
> > ---
&g
On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > wrote:
> > > Add security hooks to allow security modules to exercise access
> > > control
>
The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.txt
Signed-off-by: Richard Haines
---
Documentation/security/LSM-sctp.txt | 212
include/linux/lsm_hooks.h | 37 +++
include/linux/security.h| 27
tests
The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..
Richard Haines (5):
sec
Add security hooks to allow security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 10
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +
net/sctp/sm_statefuns.c| 14 ++-
net/sctp
Add support to label SCTP associations and cater for a situation where
family = PF_INET6 with an ip_hdr(skb)->version = 4.
Signed-off-by: Richard Haines
---
include/net/netlabel.h| 3 ++
net/netlabel/netlabel_kapi.c | 80 +++
net/netla
Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
and CALIPSO/IPv6 services.
Signed-off-by: Richard Haines
---
include/net/sctp/structs.h | 2 ++
net/sctp/chunk.c | 7 ---
net/sctp/ipv6.c| 37 ++---
net/sctp
The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.txt
Signed-off-by: Richard Haines
---
Documentation/security/SELinux-sctp.txt | 108 +
security/selinux/hooks.c| 268 ++--
security/selinux/include
When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the
IP header may have moved.
Also update the payload length after adding the CALIPSO option.
Signed-off-by: Richard Haines
---
net/ipv6/calipso.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net
52 matches
Mail list logo
