Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Since the upstreaming of the mlsxfrm modification a few months back,
testing has resulted in the identification of the following issues/bugs that
are resolved in this patch set.
1. Fix the security context used in the IKE negotiation to be the context
of the socket as opposed to the context of the SPD rule.
2. Fix SO_PEERSEC for tcp sockets to return the security context of
the peer as opposed to the source.
3. Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow.
The following would be the result of applying this patchset:
- SO_PEERSEC will now correctly return the peer's context.
- IKE deamons will receive the context of the source socket/flow
as opposed to the SPD rule's context so that the negotiated SA
will be at the same context as the source socket/flow.
- The SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
This Patch: Pass correct security context to IKE for use in negotiation
Fix the security context passed to IKE for use in negotiation to be the
context of the socket as opposed to the context of the SPD rule so that
the SA carries the label of the originating socket/flow.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Weirdness: the third argument of socket() is net-endian
here. Oh, well - it's documented in packet(7).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/drzeus/mmc:
mmc: correct request error handling
mmc: Flush block queue when removing card
mmc: sdhci high speed support
mmc: Support for high speed SD cards
mmc: Fix mmc_delay() function
mmc: Add support for mmc v4 wide-bus modes
[PATCH] mmc: Add support for mmc v4 high speed mode
trivial change for mmc/Kconfig: MMC_PXA does not mean only PXA255
Make general code cleanups
Add MMC_CAP_{MULTIWRITE,BYTEBLOCK} flags
Platform device error handling cleanup
Move register definitions away from the header file
Change OMAP_MMC_{READ,WRITE} macros to use the host pointer
Replace base with virt_base and phys_base
mmc: constify mmc_host_ops vectors
mmc: remove kernel_thread()
Most PHYs connect to an ethernet controller over a GMII or MII
interface. However, a growing number are connected over
different interfaces, such as RGMII or SGMII.
The ethernet driver will tell the PHY what type of connection it
is by setting it manually, or passing it in through phy_connect
(or phy_attach).
Changes include:
* Updates to documentation
* Updates to PHY Lib consumers
* Changes to PHY Lib to add interface support
* Some minor changes to whitespace in phy.h
* gianfar driver now detects interface and passes appropriate
value to PHY Lib
Signed-off-by: Andrew Fleming <afleming@freescale.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Add pci device ids for the NVIDIA MCP67 chip.
Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
This patch adds two new defines for the SIOCSIWMLME to cover all
kinds MLMEs (well, except REASSOC) through a ioctl.
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
In the SoftMAC version of the IEEE 802.11 stack, not all duplicate messages are
detected. For the most part, there is no difficulty; however for TKIP and CCMP
encryption, the duplicates result in a "replay detected" log message where the
received and previous values of the TSC are identical. This change adds a new
variable to the ieee80211_device structure that holds the 'seq_ctl' value for
the previous frame. When a new frame repeats the value, the frame is dropped and
the appropriate counter is incremented.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This patch adds a host_strip_iv_icv flag to ieee80211 which indicates that
ieee80211_rx should strip the IV/ICV/other security features from the payload.
This saves on some memmove() calls in the driver and seems like something that
belongs in the stack as it can be used by bcm43xx, ipw2200, and zd1211rw
I will submit the ipw2200 patch separately as it needs testing.
This patch also adds some sensible variable reuse (idx vs keyidx) in
ieee80211_rx
Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The <linux/phy.h> uses some types and macros defined in
<linux/ethtool.h>, <linux/mii.h>, <linux/timer.h> and <linux/workqueue.h>,
but fails to include these headers.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
patch-mips-2.6.18-20060920-include-phy-16
Signed-off-by: Jeff Garzik <jeff@garzik.org>
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: (31 commits)
[MIPS] Remove duplicate ISA DMA code for 0 DMA channel case.
[MIPS] Remove unused definition of cpu_to_lelongp()
[MIPS] Remove userspace proofing from <asm/bitops.h>.
[MIPS] Remove old junk left from old atomic_lock.
[MIPS] Use conditional traps for BUG_ON on MIPS II and better.
[MIPS] mips HPT cleanup: make clocksource_mips public
[MIPS] do_IRQ cleanup
[MIPS] Avoid dupliate D-cache flush on R400C / R4400 SC and MC variants.
[MIPS] Remove redundant r4k_blast_icache() calls
[MIPS] Work around bogus gcc warnings.
[MIPS] Fix double inclusions
[MIPS] use generic_handle_irq, handle_level_irq, handle_percpu_irq
[MIPS] IRQ cleanups
[MIPS] mips hpt cleanup: get rid of mips_hpt_init
[MIPS] PB1200: Remove duplicate definitions
[MIPS] Fix alignment hole in struct cache_desc; shrink struct.
[MIPS] Oprofile: kernel support for the R10000.
[MIPS] Remove unused R10000 performance counter definitions.
[MIPS] Add support for kexec
[MIPS] Don't print presence of WAIT instruction on bootup.
...
* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/usb-2.6: (103 commits)
usbcore: remove unused argument in autosuspend
USB: keep count of unsuspended children
USB hub: simplify remote-wakeup handling
USB: struct usb_device: change flag to bitflag
OHCI: make autostop conditional on CONFIG_PM
USB: Add autosuspend support to the hub driver
EHCI: Fix root-hub and port suspend/resume problems
USB: create a new thread for every USB device found during the probe sequence
USB: add driver for the USB debug devices
USB: added dynamic major number for USB endpoints
USB: pegasus error path not resetting task's state
USB: endianness fix for asix.c
USB: build the appledisplay driver
USB serial: replace kmalloc+memset with kzalloc
USB: hid-core: canonical defines for Apple USB device IDs
USB: idmouse cleanup
USB: make drivers/usb/core/driver.c:usb_device_match() static
USB: lh7a40x_udc remove double declaration
USB: pxa2xx_udc recognizes ixp425 rev b0 chip
usbtouchscreen: add support for DMC TSC-10/25 devices
...
* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/driver-2.6: (36 commits)
Driver core: show drivers in /sys/module/
Documentation/driver-model/platform.txt update/rewrite
Driver core: platform_driver_probe(), can save codespace
driver core: Use klist_remove() in device_move()
driver core: Introduce device_move(): move a device to a new parent.
Driver core: make drivers/base/core.c:setup_parent() static
driver core: Introduce device_find_child().
sysfs: sysfs_write_file() writes zero terminated data
cpu topology: consider sysfs_create_group return value
Driver core: Call platform_notify_remove later
ACPI: Change ACPI to use dev_archdata instead of firmware_data
Driver core: add dev_archdata to struct device
Driver core: convert sound core to use struct device
Driver core: change mem class_devices to be real devices
Driver core: convert fb code to use struct device
Driver core: convert firmware code to use struct device
Driver core: convert mmc code to use struct device
Driver core: convert ppdev code to use struct device
Driver core: convert PPP code to use struct device
Driver core: convert cpuid code to use struct device
...
Show the drivers, which belong to the module:
$ ls -l /sys/module/usbcore/drivers/
hub -> ../../../bus/usb/drivers/hub
usb -> ../../../bus/usb/drivers/usb
usbfs -> ../../../bus/usb/drivers/usbfs
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This defines a new platform_driver_probe() method allowing the driver's
probe() method, and its support code+data, to safely live in __init
sections for typical system configurations.
Many system-on-chip processors could benefit from this API, to the tune
of recovering hundreds to thousands of bytes per driver. That's memory
which is currently wasted holding code which can never be called after
system startup, yet can not be removed. It can't be removed because of
the linkage requirement that pointers to init section code (like, ideally,
probe support) must not live in other sections (like driver method tables)
after those pointers would be invalid.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Provide a function device_move() to move a device to a new parent device. Add
auxilliary functions kobject_move() and sysfs_move_dir().
kobject_move() generates a new uevent of type KOBJ_MOVE, containing the
previous path (DEVPATH_OLD) in addition to the usual values. For this, a new
interface kobject_uevent_env() is created that allows to add further
environmental data to the uevent at the kobject layer.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Change ACPI to use dev_archdata instead of firmware_data
This patch changes ACPI to use the new dev_archdata on i386, x86_64
and ia64 (is there any other arch using ACPI ?) to store it's
acpi_handle.
It also removes the firmware_data field from struct device as this
was the only user.
Only build-tested on x86
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Len Brown <lenb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Add arch specific dev_archdata to struct device
Adds an arch specific struct dev_arch to struct device. This enables
architecture to add specific fields to every device in the system, like
DMA operation pointers, NUMA node ID, firmware specific data, etc...
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Andi Kleen <ak@suse.de>
Acked-By: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Converts from using struct "class_device" to "struct device" making
everything show up properly in /sys/devices/ with symlinks from the
/sys/class directory.
It also makes the struct sound_card to show up as a "real" device
where all the different sound class devices are placed as childs
and different card attribute files can hang off of. /sys/class/sound is
still a flat directory, but the symlink targets of all devices belonging
to the same card, point the the /sys/devices tree below the new card
device object.
Thanks to Kay for the updates to this patch.
Signed-off-by: Kay Sievers <kay.sievers@novell.com>
Acked-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Converts from using struct "class_device" to "struct device" making
everything show up properly in /sys/devices/ with symlinks from the
/sys/class directory.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Converts from using struct "class_device" to "struct device" making
everything show up properly in /sys/devices/ with symlinks from the
/sys/class directory.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Converts from using struct "class_device" to "struct device" making
everything show up properly in /sys/devices/ with symlinks from the
/sys/class directory.
Also fixes up the isdn drivers that were putting something in the class
device's directory.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This also ment that some of the misc drivers had to also be fixed
up as they were assuming the device was a class_device.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Zijlstra
Venkat Yekkirala
Al Viro
Linus Torvalds
Andy Fleming
Mariusz Kozlowski
Ayaz Abdulla
Christian Lamparter
Larry Finger
Daniel Drake
Maciej W. Rozycki
Kay Sievers
David Brownell
Cornelia Huck
Benjamin Herrenschmidt
Greg Kroah-Hartman