Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-02-28T05:45:24Z 2019-02-28T05:45:24Z Paul Moore paul@paul-moore.com 2019-02-26T00:06:06Z urn:sha1:5578de4834fe0f2a34fedc7374be691443396d1f There are two array out-of-bounds memory accesses, one in cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both errors are embarassingly simple, and the fixes are straightforward. As a FYI for anyone backporting this patch to kernels prior to v4.8, you'll want to apply the netlbl_bitmap_walk() patch to cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before Linux v4.8. Reported-by: Jann Horn <jannh@google.com> Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.") Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2017-01-07T03:20:45Z Paul Moore paul@paul-moore.com 2017-01-06T19:26:54Z urn:sha1:bcd5e1a49f0d54afd3c5411bed2f59996e1c53e4 When we added CALIPSO support in Linux v4.8 we forgot to add it to the list of supported protocols with display at boot. Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-06-27T19:06:18Z Huw Davies huw@codeweavers.com 2016-06-27T19:06:18Z urn:sha1:3f09354ac84c6904787189d85fb306bf60f714b8 SMACK uses similar functions to control CIPSO, these are the equivalent functions for CALIPSO and follow exactly the same semantics. int netlbl_cfg_calipso_add(struct calipso_doi *doi_def, struct netlbl_audit *audit_info) Adds a CALIPSO doi. void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info) Removes a CALIPSO doi. int netlbl_cfg_calipso_map_add(u32 doi, const char *domain, const struct in6_addr *addr, const struct in6_addr *mask, struct netlbl_audit *audit_info) Creates a mapping between a domain and a CALIPSO doi. If addr and mask are non-NULL this creates an address-selector type mapping. This also extends netlbl_cfg_map_del() to remove IPv6 address-selector mappings. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:06:17Z Huw Davies huw@codeweavers.com 2016-06-27T19:06:17Z urn:sha1:4fee5242bf41d9ad641d4c1b821e36eb7ba37fbf This works in exactly the same way as the CIPSO label cache. The idea is to allow the lsm to cache the result of a secattr lookup so that it doesn't need to perform the lookup for every skbuff. It introduces two sysctl controls: calipso_cache_enable - enables/disables the cache. calipso_cache_bucket_size - sets the size of a cache bucket. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:06:16Z Huw Davies huw@codeweavers.com 2016-06-27T19:06:16Z urn:sha1:a04e71f631fa3d2fd2aa0404c11484739d1e9073 This makes it possible to route the error to the appropriate labelling engine. CALIPSO is far less verbose than CIPSO when encountering a bogus packet, so there is no need for a CALIPSO error handler. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:06:15Z Huw Davies huw@codeweavers.com 2016-06-27T19:06:15Z urn:sha1:2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 In some cases, the lsm needs to add the label to the skbuff directly. A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4 behaviour. This allows selinux to label the skbuffs that it requires. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:05:29Z Huw Davies huw@codeweavers.com 2016-06-27T19:05:29Z urn:sha1:e1adea927080821ebfa7505bff752a4015955660 Request sockets need to have a label that takes into account the incoming connection as well as their parent's label. This is used for the outgoing SYN-ACK and for their child full-socket. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:02:51Z Huw Davies huw@codeweavers.com 2016-06-27T19:02:51Z urn:sha1:ceba1832b1b2da0149c51de62a847c00bca1677a CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on the equivalent CISPO code. The main difference is due to manipulating the options in the hop-by-hop header. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:02:51Z Huw Davies huw@codeweavers.com 2016-06-27T19:02:51Z urn:sha1:3faa8f982f958961fda68b8d63e682fe77a032d4 This is to allow the CALIPSO labelling engine to use these. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:02:46Z Huw Davies huw@codeweavers.com 2016-06-27T19:02:46Z urn:sha1:cb72d38211eacda2dd90b09540542b6582da614e CALIPSO is a packet labelling protocol for IPv6 which is very similar to CIPSO. It is specified in RFC 5570. Much of the code is based on the current CIPSO code. This adds support for adding passthrough-type CALIPSO DOIs through the NLBL_CALIPSO_C_ADD command. It requires attributes: NLBL_CALIPSO_A_TYPE which must be CALIPSO_MAP_PASS. NLBL_CALIPSO_A_DOI. In passthrough mode the CALIPSO engine will map MLS secattr levels and categories directly to the packet label. At this stage, the major difference between this and the CIPSO code is that IPv6 may be compiled as a module. To allow for this the CALIPSO functions are registered at module init time. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>