- 23 9月, 2006 18 次提交
-
-
由 Venkat Yekkirala 提交于
The following patch will fix the build problem (encountered by Andrew Morton) when SECURITY_NETWORK_XFRM is not enabled. As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in -mm, this patch sets the return parameter sid to SECSID_NULL in selinux_xfrm_decode_session() and handles this value in the caller selinux_inet_conn_request() appropriately. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This automatically labels the TCP, Unix stream, and dccp child sockets as well as openreqs to be at the same MLS level as the peer. This will result in the selection of appropriately labeled IPSec Security Associations. This also uses the sock's sid (as opposed to the isec sid) in SELinux enforcement of secmark in rcv_skb and postroute_last hooks. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This includes the security context of a security association created for use by IKE in the acquire messages sent to IKE daemons using PF_KEY. This would allow the daemons to include the security context in the negotiation, so that the resultant association is unique to that security context. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Serge Hallyn 提交于
This includes the security context of a security association created for use by IKE in the acquire messages sent to IKE daemons using netlink/xfrm_user. This would allow the daemons to include the security context in the negotiation, so that the resultant association is unique to that security context. Signed-off-by: NSerge Hallyn <serue@us.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This adds security to flow key for labeling of flows as also to allow for making flow cache lookups based on the security label seemless. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This adds security for IP sockets at the sock level. Security at the sock level is needed to enforce the SELinux security policy for security associations even when a sock is orphaned (such as in the TCP LAST_ACK state). This will also be used to enforce SELinux controls over data arriving at or leaving a child socket while it's still waiting to be accepted. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
This defines a routine that combines the Type Enforcement portion of one sid with the MLS portion from the other sid to arrive at a new sid. This would be used to define a sid for a security association that is to be negotiated by IKE as well as for determing the sid for open requests and connection-oriented child sockets. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Venkat Yekkirala 提交于
The current approach to labeling Security Associations for SELinux purposes uses a one-to-one mapping between xfrm policy rules and security associations. This doesn't address the needs of real world MLS (Multi-level System, traditional Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a range, classified to secret for example) might need to map to multiple Security Associations (one each for classified, secret, top secret and all the compartments applicable to these security levels). This patch set addresses the above problem by allowing for the mapping of a single xfrm policy rule to multiple security associations, with each association used in the security context it is defined for. It also includes the security context to be used in IKE negotiation in the acquire messages sent to the IKE daemon so that a unique SA can be negotiated for each unique security context. A couple of bug fixes are also included; checks to make sure the SAs used by a packet match policy (security context-wise) on the inbound and also that the bundle used for the outbound matches the security context of the flow. This patch set also makes the use of the SELinux sid in flow cache lookups seemless by including the sid in the flow key itself. Also, open requests as well as connection-oriented child sockets are labeled automatically to be at the same level as the peer to allow for use of appropriately labeled IPSec associations. Description of changes: A "sid" member has been added to the flow cache key resulting in the sid being available at all needed locations and the flow cache lookups automatically using the sid. The flow sid is derived from the socket on the outbound and the SAs (unlabeled where an SA was not used) on the inbound. Outbound case: 1. Find policy for the socket. 2. OLD: Find an SA that matches the policy. NEW: Find an SA that matches BOTH the policy and the flow/socket. This is necessary since not every SA that matches the policy can be used for the flow/socket. Consider policy range Secret-TS, and SAs each for Secret and TS. We don't want a TS socket to use the Secret SA. Hence the additional check for the SA Vs. flow/socket. 3. NEW: When looking thru bundles for a policy, make sure the flow/socket can use the bundle. If a bundle is not found, create one, calling for IKE if necessary. If using IKE, include the security context in the acquire message to the IKE daemon. Inbound case: 1. OLD: Find policy for the socket. NEW: Find policy for the incoming packet based on the sid of the SA(s) it used or the unlabeled sid if no SAs were used. (Consider a case where a socket is "authorized" for two policies (unclassified-confidential, secret-top_secret). If the packet has come in using a secret SA, we really ought to be using the latter policy (secret-top_secret).) 2. OLD: BUG: No check to see if the SAs used by the packet agree with the policy sec_ctx-wise. (It was indicated in selinux_xfrm_sock_rcv_skb() that this was being accomplished by (x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok, but it turns out tmpl->id.spi would normally be zero (unless xfrm policy rules specify one at the template level, which they usually don't). NEW: The socket is checked for access to the SAs used (based on the sid of the SAs) in selinux_xfrm_sock_rcv_skb(). Forward case: This would be Step 1 from the Inbound case, followed by Steps 2 and 3 from the Outbound case. Outstanding items/issues: - Timewait acknowledgements and such are generated in the current/upstream implementation using a NULL socket resulting in the any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed by this patch set. This patch: Add new flask definitions to SELinux Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm policy rule. Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
git://git.infradead.org/~dwmw2/hdroneline由 Linus Torvalds 提交于
* git://git.infradead.org/~dwmw2/hdroneline: [HEADERS] One line per header in Kbuild files to reduce conflicts Manual (trivial) conflict resolution in include/asm-s390/Kbuild
-
git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2由 Linus Torvalds 提交于
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2: ocfs2: Remove overzealous BUG_ON() ocfs2: Don't print on unknown remote blocking call ocfs2: Remove EXPERIMENTAL dependency ocfs2: implement directory read-ahead ocfs2: properly update i_mtime on buffered write ocfs2: Fix directory link count checks in ocfs2_link() ocfs2: move nlink check in ocfs2_mknod() ocfs2: Fix heartbeat sector calculation [PATCH] fs/ocfs2/ioctl.c should #include "ioctl.h" ocfs2: add ext2 attributes configfs: Prevent duplicate subsystem names.
-
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (64 commits) [BLOCK] dm-crypt: trivial comment improvements [CRYPTO] api: Deprecate crypto_digest_* and crypto_alg_available [CRYPTO] padlock: Convert padlock-sha to use crypto_hash [CRYPTO] users: Use crypto_comp and crypto_has_* [CRYPTO] api: Add crypto_comp and crypto_has_* [CRYPTO] users: Use crypto_hash interface instead of crypto_digest [SCSI] iscsi: Use crypto_hash interface instead of crypto_digest [CRYPTO] digest: Remove old HMAC implementation [CRYPTO] doc: Update documentation for hash and me [SCTP]: Use HMAC template and hash interface [IPSEC]: Use HMAC template and hash interface [CRYPTO] tcrypt: Use HMAC template and hash interface [CRYPTO] hmac: Add crypto template implementation [CRYPTO] digest: Added user API for new hash type [CRYPTO] api: Mark parts of cipher interface as deprecated [PATCH] scatterlist: Add const to sg_set_buf/sg_init_one pointer argument [CRYPTO] drivers: Remove obsolete block cipher operations [CRYPTO] users: Use block ciphers where applicable [SUNRPC] GSS: Use block ciphers where applicable [IPSEC] ESP: Use block ciphers where applicable ...
-
git://git390.osdl.marist.edu/pub/scm/linux-2.6由 Linus Torvalds 提交于
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6: (44 commits) [S390] hypfs crashes with invalid mount option. [S390] cio: subchannel evaluation function operates without lock [S390] cio: always query all paths on path verification. [S390] cio: update path groups on logical CHPID changes. [S390] cio: subchannels in no-path state. [S390] Replace nopav-message on VM. [S390] set modalias for ccw bus uevents. [S390] Get rid of DBG macro. [S390] Use alternative user-copy operations for new hardware. [S390] Make user-copy operations run-time configurable. [S390] Cleanup in signal handling code. [S390] Cleanup in page table related code. [S390] Linux API for writing z/VM APPLDATA Monitor records. [S390] xpram off by one error. [S390] Remove kexec experimental flag. [S390] cleanup appldata. [S390] fix typo in vmcp. [S390] Kernel stack overflow handling. [S390] qdio slsb processing state. [S390] Missing initialization in common i/o layer. ...
-
git://git.infradead.org/mtd-2.6由 Linus Torvalds 提交于
* git://git.infradead.org/mtd-2.6: Remove accidentally-added include/linux/utsrelease.h Revert "[MTD] blkdev helper code: fix printk format warning" [MTD] Add SSFDC (SmartMedia) read-only translation layer [MTD] pmc551 pci cleanup [MTD] pmc551 use kzalloc [MTD] pmc551 whitespace cleanup [MTD] Remove iq80310 map driver [MTD NAND] Fix in typo ndfc.c causing wrong ECC layout [MTD] physmap: add power management support ioremap balanced with iounmap for drivers/mtd subsystem [MTD] Switch to pci_get_device and do ref counting [MTD] blkdev helper code: fix printk format warning [MTD] Fix ixp4xx partition parsing. [JFFS2] Remove unneeded ifdefs from jffs2_fs_i.h [MTD NAND] Remove old code in au1550nd.c [MTD] Unlock NOR flash automatically where necessary
-
git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc: (114 commits) [POWERPC] Fix ohare IDE irq workaround on old powermacs [POWERPC] EEH: Power4 systems sometimes need multiple resets. [POWERPC] Include <asm/mmu.h> in arch/powerpc/sysdev/fsl_soc.h for phys_addr_t. [POWERPC] Demacrofy arch/powerpc/platforms/maple/pci.c [POWERPC] Maple U3 HT - reject inappropriate config space access [POWERPC] Fix IPIC pending register assignments [POWERPC] powerpc: fix building gdb against asm/ptrace.h [POWERPC] Remove DISCONTIGMEM cruft from page.h [POWERPC] Merge iSeries i/o operations with the rest [POWERPC] 40x: Fix debug status register defines [POWERPC] Fix compile error in sbc8560 [POWERPC] EEH: support MMIO enable recovery step [POWERPC] EEH: enable MMIO/DMA on frozen slot [POWERPC] EEH: code comment cleanup [POWERPC] EEH: balance pcidev_get/put calls [POWERPC] PPC: Fix xmon stack frame address in backtrace [POWERPC] Add AT_PLATFORM value for Xilinx Virtex-4 FX [POWERPC] Start arch/powerpc/boot code reorganization [POWERPC] Define of_read_ulong helper [POWERPC] iseries: eliminate a couple of warnings ...
-
由 David Woodhouse 提交于
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 22 9月, 2006 22 次提交
-
-
由 David Woodhouse 提交于
This reverts commit 668040fc. The 'flags' field of the struct request is 'unsigned long'. Quite how Randy came to see 'long int format, different type arg' I don't know, but it doesn't seem to be the case any more. Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Claudio Lanconelli 提交于
Signed-off-by: NClaudio Lanconelli <lanconelli.claudio@eptar.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Jiri Slaby 提交于
Use pci_resource_start for getting start of regions and pci_iomap to not doing this directly by using dev->resource... (Thanks to Rolf Eike Beer) Signed-off-by: NJiri Slaby <jirislaby@gmail.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Jiri Slaby 提交于
Use kzalloc instad of kmalloc+memset(0). Signed-off-by: NJiri Slaby <jirislaby@gmail.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Jiri Slaby 提交于
Spaces were used for indent, there was more than 80 columns per line. Get rid of that stuff. Signed-off-by: NJiri Slaby <jirislaby@gmail.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Lennert Buytenhek 提交于
The iq80310 mtd map driver depends on ARCH_IQ80310, which isn't defined anywhere in the tree (as we don't have 80310 support), and furthermore, everything the driver does can be done with physmap instead. Signed-off-by: NLennert Buytenhek <buytenh@wantstofly.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Frank Haverkamp 提交于
Due to this typo, a wrong ECC layout table is chosen. Signed-off-by: NFrank Haverkamp <haver@vnet.ibm.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Lennert Buytenhek 提交于
Implement PM handling for physmap. Idea from Steven Scholz, patch by David Anders. Signed-off-by: NLennert Buytenhek <buytenh@wantstofly.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Amol Lad 提交于
ioremap must be balanced by an iounmap and failing to do so can result in a memory leak. Tested (compilation only) with: - allmodconfig - Modifying drivers/mtd/maps/Kconfig and drivers/mtd/nand/Kconfig to make sure that the changed file is compiling without warning Signed-off-by: NAmol Lad <amol@verismonetworks.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Alan Cox 提交于
Signed-off-by: NAlan Cox <alan@redhat.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Randy Dunlap 提交于
Fix printk format warning(s): drivers/mtd/mtd_blkdevs.c:72: warning: long int format, different type arg (arg 2) Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Brian Walsh 提交于
If the amount of flash is not divisible by 2 then the mask in parse_mtd_partitions would fail to work as designed. Passing in the base address corrects this problem. Signed-off-by: NBrian Walsh <brian@walsh.ws> Cc: Deepak Sanexa <dsanexa@mvista.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Michal Piotrowski 提交于
We certainly don't need the check for Linux version > 2.5.2, and in fact we can also live without the __ECOS check, since we can just add it back in the eCos git tree which is automatically derived from the Linux fs/jffs2 subdirectory in the upstream git tree. Signed-off-by: NMichal Piotrowski <michal.k.k.piotrowski@gmail.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Michal Piotrowski 提交于
Signed-off-by: NMichal Piotrowski <michal.k.k.piotrowski@gmail.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Håvard Skinnemoen 提交于
Introduce the MTD_STUPID_LOCK flag which indicates that the flash chip is always locked after power-up, so all sectors need to be unlocked before it is usable. If this flag is set, and the chip provides an unlock() operation, mtd_add_device will unlock the whole MTD device if it's writeable. This means that non-writeable partitions will stay locked. Set MTD_STUPID_LOCK in fixup_use_atmel_lock() so that these chips will work as expected. Signed-off-by: NHåvard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Benjamin Herrenschmidt 提交于
Looks like a workaround for old bogus OF bitrot... This fixes it and hence fixes boot on some performa machines. Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Linas Vepstas 提交于
On detection of an EEH error, some Power4 systems seem to occasionally want to be reset twice before they report themselves as fully recovered. This patch re-arranges the code to attempt additional resets if the first one doesn't take. Signed-off-by: NLinas Vepstas <linas@austin.ibm.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Scott Wood 提交于
This patch causes fsl_soc.h to import the definition of phys_addr_t itself, rather than relying on its includer to do so. Signed-off-by: NScott Wood <scott@freescale.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Nathan Lynch 提交于
Noticed that the U3_*CFA macros have some typos: #define U3_HT_CFA0(devfn, off) \ ((((unsigned long)devfn) << 8) | offset) (refers to offset rather than off) #define U3_AGP_CFA0(devfn, off) \ ((1 << (unsigned long)PCI_SLOT(dev_fn)) \ | (((unsigned long)PCI_FUNC(dev_fn)) << 8) \ (refers to dev_fn rather than devfn) Things happen to work, but there doesn't seem to be any reason these shouldn't be functions. Overall behavior should be unchanged. Signed-off-by: NNathan Lynch <ntl@pobox.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Nathan Lynch 提交于
When there is a PCI-X mode 2 capable device behind the HT<->PCI-X bridge, the pci core decides that the device has the extended 4K config space, even though the bus is not operating in mode 2. This is because the u3_ht pci ops silently accept offsets greater than 255 but use only the 8 least significant bits, which means reading at offset 0x100 gets the data at offset 0x0, and causes confusion for lspci. Reject accesses to configuration space offsets greater than 255. Signed-off-by: NNathan Lynch <ntl@pobox.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Scott Wood 提交于
This patch fixes the assignment of pending registers to IRQ numbers for the IPIC; the code previously assigned all IRQs to the high pending word regardless of which word the interrupt belonged to. Signed-off-by: NScott Wood <scottwood@freescale.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-
由 Arnd Bergmann 提交于
Ulrich Weigand found a bug with the current version of the asm-powerpc/ptrace.h that prevents building at least the SPU target version of gdb, since some ptrace opcodes are not defined. The problem seems to have originated in the merging of 32 and 64 bit versions of that file, the problem is that some opcodes are only valid on 64 bit kernels, but are also used by 32 bit programs, so they can't depends on the __powerpc64__ symbol. Signed-off-by: NArnd Bergmann <arnd.bergmann@de.ibm.com> Signed-off-by: NPaul Mackerras <paulus@samba.org>
-