1. 03 3月, 2007 1 次提交
  2. 03 12月, 2006 12 次提交
  3. 31 10月, 2006 1 次提交
    • P
      [NetLabel]: protect the CIPSOv4 socket option from setsockopt() · f8687afe
      Paul Moore 提交于
      This patch makes two changes to protect applications from either removing or
      tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
      that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
      on a socket; this prevents untrusted applications from setting their own
      CIPSOv4 security attributes on the packets they send.  The second change is to
      SELinux and it prevents applications from setting any IPv4 options when there
      is an IPOPT_CIPSO option already present on the socket; this prevents
      applications from removing CIPSOv4 security attributes from the packets they
      send.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8687afe
  4. 16 10月, 2006 2 次提交
  5. 12 10月, 2006 1 次提交
  6. 30 9月, 2006 1 次提交
  7. 29 9月, 2006 1 次提交
  8. 26 9月, 2006 3 次提交
  9. 23 9月, 2006 2 次提交
    • A
      [NET]: Make code static. · 8ce11e6a
      Adrian Bunk 提交于
      This patch makes needlessly global code static.
      Signed-off-by: NAdrian Bunk <bunk@stusta.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8ce11e6a
    • P
      [NetLabel]: CIPSOv4 engine · 446fda4f
      Paul Moore 提交于
      Add support for the Commercial IP Security Option (CIPSO) to the IPv4
      network stack.  CIPSO has become a de-facto standard for
      trusted/labeled networking amongst existing Trusted Operating Systems
      such as Trusted Solaris, HP-UX CMW, etc.  This implementation is
      designed to be used with the NetLabel subsystem to provide explicit
      packet labeling to LSM developers.
      
      The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API
      function which attaches a CIPSO label (IPv4 option) to a given socket;
      this in turn attaches the CIPSO label to every packet leaving the
      socket without any extra processing on the outbound side.  On the
      inbound side the individual packet's sk_buff is examined through a
      call to a NetLabel API function to determine if a CIPSO/IPv4 label is
      present and if so the security attributes of the CIPSO label are
      returned to the caller of the NetLabel API function.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      446fda4f