android_kernel_xiaomi_sm8350/include/net
Paul Moore 389fb800ac netlabel: Label incoming TCP connections correctly in SELinux
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints.  The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer.  The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.

This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook.  Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code.  In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-03-28 15:01:36 +11:00
..
9p 9p: fix sparse warnings 2008-10-22 18:54:47 -05:00
bluetooth Bluetooth: Ask upper layers for HCI disconnect reason 2009-02-27 06:14:43 +01:00
irda irda: Add irda_skb_cb qdisc related padding 2008-12-17 15:44:58 -08:00
iucv [S390] iucv: Locking free version of iucv_message_(receive|send) 2008-12-25 13:39:04 +01:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-26 22:45:23 -07:00
netns netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25 21:05:46 +01:00
phonet Phonet: use per-namespace devices list 2009-01-26 21:03:35 -08:00
sctp sctp: Clean up TEST_FRAME hacks. 2009-03-21 13:41:09 -07:00
tc_act
tipc
act_api.h
addrconf.h ipv6: Fix conflict resolutions during ipv6 binding 2009-03-24 19:49:11 -07:00
af_rxrpc.h
af_unix.h net: Fix soft lockups/OOM issues w/ unix garbage collector 2008-11-26 15:32:27 -08:00
ah.h
arp.h
atmclip.h clip: convert to internal network_device_stats 2009-01-21 14:01:59 -08:00
ax25.h
ax88796.h ax88796: Add method to take MAC from platform data 2009-03-24 23:32:03 -07:00
cfg80211.h cfg80211: add feature to hold bss 2009-03-27 20:13:13 -04:00
checksum.h include/net net/ - csum_partial - remove unnecessary casts 2008-11-19 15:44:53 -08:00
cipso_ipv4.h netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
compat.h
datalink.h
dcbnl.h net: fix DCB setstate to return success/failure 2008-12-21 20:09:50 -08:00
dn_dev.h
dn_fib.h decnet: remove private wrappers of endian helpers 2008-11-27 00:12:47 -08:00
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h decnet: compile fix for removal of byteorder wrapper 2008-11-27 23:04:13 -08:00
dsa.h dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
dsfield.h
dst.h netns xfrm: lookup in netns 2008-11-25 17:35:18 -08:00
esp.h
ethoc.h net: Add support for the OpenCores 10/100 Mbps Ethernet MAC. 2009-03-27 00:16:21 -07:00
fib_rules.h
flow.h netns xfrm: lookup in netns 2008-11-25 17:35:18 -08:00
garp.h
gen_stats.h pkt_sched: gen_estimator: Optimize gen_estimator_active() 2008-11-26 15:24:32 -08:00
genetlink.h
icmp.h
ieee80211_radiotap.h wireless: radiotap updates 2009-03-27 20:12:52 -04:00
if_inet6.h ipv6: reorder struct inet6_ifaddr to remove padding on 64 bit builds 2009-03-21 13:29:05 -07:00
inet6_connection_sock.h
inet6_hashtables.h inet: Don't lookup the socket if there's a socket attached to the skb 2008-10-07 12:41:01 -07:00
inet_common.h
inet_connection_sock.h
inet_ecn.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
inet_frag.h inet fragments: fix sparse warning: context imbalance 2009-02-26 23:13:35 -08:00
inet_hashtables.h net: move bsockets outside of read only beginning of struct inet_hashinfo 2009-02-01 12:31:33 -08:00
inet_sock.h tcp: Port redirection support for TCP 2008-10-01 07:46:49 -07:00
inet_timewait_sock.h net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls 2008-11-16 19:40:17 -08:00
inetpeer.h
ip6_checksum.h
ip6_fib.h
ip6_route.h
ip6_tunnel.h
ip_fib.h
ip_vs.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
ip.h ip: support for TX timestamps on UDP and RAW sockets 2009-02-15 22:43:38 -08:00
ipcomp.h
ipconfig.h
ipip.h inet: Make tunnel RX/TX byte counters more consistent 2008-10-09 12:03:17 -07:00
ipv6.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
ipx.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
iw_handler.h
lapb.h
lib80211.h wireless: missing include in lib80211.h 2008-11-21 11:42:55 -05:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
mac80211.h mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi 2009-03-27 20:13:23 -04:00
mip6.h
ndisc.h ipv6: Fix sporadic sendmsg -EINVAL when sending to multicast groups. 2009-01-04 16:04:39 -08:00
neighbour.h net: Cleanup of neighbour code 2008-11-12 00:54:54 -08:00
net_namespace.h netns: Remove net_alive 2009-03-03 01:14:27 -08:00
netdma.h net_dma: convert to dma_find_channel 2009-01-06 11:38:15 -07:00
netevent.h
netlabel.h netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
netlink.h netlink: add nla_policy_len() 2009-03-25 18:26:30 +01:00
netrom.h netrom: convert to internal net_device_stats 2009-01-21 14:02:01 -08:00
nexthop.h
p8022.h
pkt_cls.h ematch: simpler tcf_em_unregister() 2008-11-16 23:01:49 -08:00
pkt_sched.h pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving warning handler. 2009-02-01 01:12:42 -08:00
protocol.h ipv6: Add GRO support 2009-01-08 10:40:57 -08:00
psnap.h snap: use const for descriptor 2009-03-21 19:06:50 -07:00
raw.h
rawv6.h
red.h
request_sock.h net: Fix memory leak in the proto_register function 2008-11-21 16:45:22 -08:00
rose.h
route.h ipv4: Conditionally enable transparent flow flag when connecting 2008-10-01 07:35:39 -07:00
rtnetlink.h
sch_generic.h net: reorder struct Qdisc for better SMP performance 2009-03-20 01:33:32 -07:00
scm.h Merge branch 'master' into next 2008-11-14 11:29:12 +11:00
slhc_vj.h
snmp.h
sock.h Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-02-24 03:50:29 -08:00
stp.h
tcp_states.h
tcp.h tcp: simplify tcp_current_mss 2009-03-15 20:09:54 -07:00
timewait_sock.h net: Fix memory leak in the proto_register function 2008-11-21 16:45:22 -08:00
transp_v6.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
udp.h ipv6: Fix conflict resolutions during ipv6 binding 2009-03-24 19:49:11 -07:00
udplite.h udp: introduce struct udp_table and multiple spinlocks 2008-10-29 01:41:45 -07:00
wext.h
wimax.h wimax: fix typo in kernel-doc for debugfs_dentry in struct wimax_dev 2009-01-11 00:06:32 -08:00
wireless.h cfg80211: Add AP beacon regulatory hints 2009-02-27 14:52:59 -05:00
x25.h
x25device.h
xfrm.h netns xfrm: per-netns sysctls 2008-11-25 18:00:48 -08:00