Al Viro [Tue, 21 Nov 2006 01:00:44 +0000 (17:00 -0800)]
[SCTP]: SCTP_CMD_INIT_FAILED annotations.
argument stored for SCTP_CMD_INIT_FAILED is always __be16
(protocol error). Introduced new field and accessor for
it (SCTP_PERR()); switched to their use (from SCTP_U32() and
.u32)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Gerrit Renker [Mon, 20 Nov 2006 20:39:23 +0000 (18:39 -0200)]
[DCCP]: Simplified conditions due to use of enum:8 states
This reaps the benefit of the earlier patch, which changed the type of
CCID 3 states to use enums, in that many conditions are now simplified
and the number of possible (unexpected) values is greatly reduced.
In a few instances, this also allowed to simplify pre-conditions; where
care has been taken to retain logical equivalence.
[DCCP]: Introduce a consistent BUG/WARN message scheme
This refines the existing set of DCCP messages so that
* BUG(), BUG_ON(), WARN_ON() have meaningful DCCP-specific counterparts
* DCCP_CRIT (for severe warnings) is not rate-limited
* DCCP_WARN() is introduced as rate-limited wrapper
Using these allows a faster and cleaner transition to their original
counterparts once the code has matured into a full DCCP implementation.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Ian McDonald [Mon, 20 Nov 2006 20:30:17 +0000 (18:30 -0200)]
[DCCP]: Set TX Queue Length Bounds via Sysctl
Previously the transmit queue was unbounded.
This patch:
* puts a limit on transmit queue length
and sends back EAGAIN if the buffer is full
* sets the TX queue length to a sensible default
* implements tx buffer sysctls for DCCP
Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Gerrit Renker [Mon, 20 Nov 2006 20:26:03 +0000 (18:26 -0200)]
[DCCP]: enable debug messages also for static builds
This patch
* makes debugging (when configured) work both for static / module build
* provides generic debugging macros for use in other DCCP / CCID modules
* adds missing information about debug parameters to Kconfig
* performs some code tidy-up
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Michael Chan [Sun, 19 Nov 2006 22:06:40 +0000 (14:06 -0800)]
[BNX2]: Fix Xen problem.
This fixes the problem of not receiving packets in the Xen bridging
environment. The Xen script sets the device's MAC address to
FE:FF:FF:FF:FF:FF and puts the device in promiscuous mode. The
firmware had problem receiving all packets in this configuration.
New firmware and setting the PROM_VLAN bit when in promiscuous mode
will fix this problem.
Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore [Fri, 17 Nov 2006 22:38:55 +0000 (17:38 -0500)]
NetLabel: honor the audit_enabled flag
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:54 +0000 (17:38 -0500)]
SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:53 +0000 (17:38 -0500)]
NetLabel: SELinux cleanups
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:
* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnecessary parameters in selinux_netlbl_socket_post_create().
* Rename selinux_netlbl_sk_clone_security() to
selinux_netlbl_sk_security_clone() to better fit the other NetLabel
sk_security functions.
* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
the common case.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:52 +0000 (17:38 -0500)]
NetLabel: use cipso_v4_doi_search() for local CIPSOv4 functions
The cipso_v4_doi_search() function behaves the same as cipso_v4_doi_getdef()
but is a local, static function so use it whenever possibile in the CIPSOv4
code base.
Signed-of-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:51 +0000 (17:38 -0500)]
NetLabel: use the correct CIPSOv4 MLS label limits
The CIPSOv4 engine currently has MLS label limits which are slightly larger
than what the draft allows. This is not a major problem due to the current
implementation but we should fix this so it doesn't bite us later.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:50 +0000 (17:38 -0500)]
NetLabel: return the correct error for translated CIPSOv4 tags
The CIPSOv4 translated tag #1 mapping does not always return the correct error
code if the desired mapping does not exist; instead of returning -EPERM it
returns -ENOSPC indicating that the buffer is not large enough to hold the
translated value. This was caused by failing to check a specific error
condition. This patch fixes this so that unknown mappings return
-EPERM which is consistent with the rest of the related CIPSOv4 code.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:49 +0000 (17:38 -0500)]
NetLabel: fixup the handling of CIPSOv4 tags to allow for multiple tag types
While the original CIPSOv4 code had provisions for multiple tag types the
implementation was not as great as it could be, pushing a lot of non-tag
specific processing into the tag specific code blocks. This patch fixes that
issue making it easier to support multiple tag types in the future.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:48 +0000 (17:38 -0500)]
NetLabel: add tag verification when adding new CIPSOv4 DOI definitions
Currently the CIPSOv4 engine does not do any sort of checking when a new DOI
definition is added. The tags are still verified but only as a side effect of
normal NetLabel operation (packet processing, socket labeling, etc.) which
would cause application errors due to the faulty configuration. This patch
adds tag checking when new DOI definition are added allowing us to catch these
configuration problems when they happen.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:47 +0000 (17:38 -0500)]
NetLabel: check for a CIPSOv4 option before we do call into the CIPSOv4 layer
Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if
a CIPSO IP option is present. However, we can do this check directly in the
NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save
us a function call in the common case of not having a CIPSOv4 option present.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:46 +0000 (17:38 -0500)]
NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate which attributes are present in the structure; this
should allow the LSM to do a quick comparison to determine if the structure
holds any security attributes.
Example:
if (netlbl_lsm_secattr->flags)
/* security attributes present */
else
/* NO security attributes present */
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:44 +0000 (17:38 -0500)]
NetLabel: convert the unlabeled accept flag to use RCU
Currently the NetLabel unlabeled packet accept flag is an atomic type and it
is checked for every non-NetLabel packet which comes into the system but rarely
ever changed. This patch changes this flag to a normal integer and protects it
with RCU locking.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Andrea Bittau [Thu, 16 Nov 2006 16:28:40 +0000 (14:28 -0200)]
[DCCP] CCID2: Code optimizations
These are code optimizations which are relevant when dealing with large
windows. They are not coded the way I would like to, but they do the job for
the short-term. This patch should be more neat.
Commiter note: Changed the seqno comparisions to use {after,before}48 to handle
wrapping.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Gerrit Renker [Wed, 15 Nov 2006 23:27:47 +0000 (21:27 -0200)]
[DCCP]: Introduce DCCP_{BUG{_ON},CRIT} macros, use enum:8 for the ccid3 states
This patch tackles the following problem:
* the ccid3_hc_{t,r}x_sock define ccid3hc{t,r}x_state as `u8', but
in reality there can only be a few, pre-defined enum names
* this necessitates addiditional checking for unexpected values
which would otherwise be caught by the compiler
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Al Viro [Wed, 15 Nov 2006 05:44:08 +0000 (21:44 -0800)]
[NET]: Preliminaty annotation of skb->csum.
It's still not completely right; we need to split it into anon unions
of __wsum and unsigned - for cases when we use it for partial checksum
and for offset of checksum in skb
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>