1. 09 9月, 2012 1 次提交
  2. 30 7月, 2012 1 次提交
  3. 30 6月, 2012 1 次提交
    • P
      netlink: add netlink_kernel_cfg parameter to netlink_kernel_create · a31f2d17
      Pablo Neira Ayuso 提交于
      This patch adds the following structure:
      
      struct netlink_kernel_cfg {
              unsigned int    groups;
              void            (*input)(struct sk_buff *skb);
              struct mutex    *cb_mutex;
      };
      
      That can be passed to netlink_kernel_create to set optional configurations
      for netlink kernel sockets.
      
      I've populated this structure by looking for NULL and zero parameters at the
      existing code. The remaining parameters that always need to be set are still
      left in the original interface.
      
      That includes optional parameters for the netlink socket creation. This allows
      easy extensibility of this interface in the future.
      
      This patch also adapts all callers to use this new interface.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a31f2d17
  4. 27 6月, 2012 1 次提交
  5. 21 3月, 2012 1 次提交
  6. 18 1月, 2012 2 次提交
  7. 09 1月, 2012 1 次提交
  8. 06 1月, 2012 1 次提交
  9. 31 10月, 2011 1 次提交
  10. 27 7月, 2011 1 次提交
  11. 30 6月, 2011 1 次提交
    • M
      netfilter: add SELinux context support to AUDIT target · 131ad62d
      Mr Dash Four 提交于
      In this revision the conversion of secid to SELinux context and adding it
      to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
      separate helper function - audit_log_secctx - which does both the conversion
      and logging of SELinux context, thus also preventing internal secid number
      being leaked to userspace. If conversion is not successful an error is raised.
      
      With the introduction of this helper function the work done in xt_AUDIT.c is
      much more simplified. It also opens the possibility of this helper function
      being used by other modules (including auditd itself), if desired. With this
      addition, typical (raw auditd) output after applying the patch would be:
      
      type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
      type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NMr Dash Four <mr.dash.four@googlemail.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      131ad62d
  12. 04 3月, 2011 1 次提交
  13. 18 1月, 2011 1 次提交
  14. 04 11月, 2010 1 次提交
  15. 30 10月, 2010 4 次提交
  16. 28 7月, 2010 1 次提交
  17. 21 7月, 2010 1 次提交
    • N
      drop_monitor: convert some kfree_skb call sites to consume_skb · 70d4bf6d
      Neil Horman 提交于
      Convert a few calls from kfree_skb to consume_skb
      
      Noticed while I was working on dropwatch that I was detecting lots of internal
      skb drops in several places.  While some are legitimate, several were not,
      freeing skbs that were at the end of their life, rather than being discarded due
      to an error.  This patch converts those calls sites from using kfree_skb to
      consume_skb, which quiets the in-kernel drop_monitor code from detecting them as
      drops.  Tested successfully by myself
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      70d4bf6d
  18. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  19. 05 2月, 2010 1 次提交
  20. 24 9月, 2009 1 次提交
  21. 24 6月, 2009 6 次提交
  22. 06 4月, 2009 3 次提交
    • E
      Audit: remove spaces from audit_log_d_path · def57543
      Eric Paris 提交于
      audit_log_d_path had spaces in the strings which would be emitted on the
      error paths.  This patch simply replaces those spaces with an _ or removes
      the needless spaces entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      def57543
    • M
      audit: ignore terminating NUL in AUDIT_USER_TTY messages · 55ad2f8d
      Miloslav Trmac 提交于
      AUDIT_USER_TTY, like all other messages sent from user-space, is sent
      NUL-terminated.  Unlike other user-space audit messages, which come only
      from trusted sources, AUDIT_USER_TTY messages are processed using
      audit_log_n_untrustedstring().
      
      This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL
      and use the "quoted_string" representation of the message if possible.
      Signed-off-by: NMiloslav Trmac <mitr@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      55ad2f8d
    • M
      Audit: fix handling of 'strings' with NULL characters · b3897f56
      Miloslav Trmac 提交于
      currently audit_log_n_untrustedstring() uses audit_string_contains_control()
      to check if the 'string' has any control characters.  If the 'string' has an
      embedded NULL audit_string_contains_control() will return that the data has
      no control characters and will then pass the string to audit_log_n_string
      with the total length, not the length up to the first NULL.
      audit_log_n_string() does a memcpy of the entire length and so the actual
      audit record emitted may then contain a NULL and then whatever random memory
      is after the NULL.
      
      Since we want to log the entire octet stream (if we can't trust the data
      to be a string we can't trust that a NULL isn't actually a part of it)
      we should just consider NULL as a control character.  If the caller is
      certain they want to stop at the first NULL they should be using
      audit_log_untrustedstring.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b3897f56
  23. 09 12月, 2008 2 次提交
  24. 02 8月, 2008 2 次提交
  25. 25 6月, 2008 2 次提交
  26. 17 5月, 2008 1 次提交