* Re: [PATCH] TCP congestion module: add TCP-LP supporting for 2.6.16.14
From: David S. Miller @ 2006-05-07 5:48 UTC (permalink / raw)
To: hswong3i; +Cc: netdev, linux-kernel
In-Reply-To: <3feffd230605062232m1b9a3951h6d21071cdacc890f@mail.gmail.com>
How many times are you going to post this same patch over and over
again? Please don't do that, thank you.
We all saw it the first time.
^ permalink raw reply
* [PATCH] core: linkwatch should use jiffies64
From: Stefan Rompf @ 2006-05-07 10:13 UTC (permalink / raw)
To: netdev; +Cc: David S. Miller
Hi,
the linkwatch code can overflow on a jiffies wrap, scheduling
work with a too large delay. If the delay is >0x80000000,
internal_add_timer() seems to overflow too, hiding the bug, so
this isn't triggered too easily.
Best solution is to use jiffies64 for calculation as these
events happen with any possible delay in between.
This should be 2.6.17 stuff.
Signed-off-by: Stefan Rompf <stefan@loplof.de>
--- linux-2.6.17-rc3/net/core/link_watch.c.orig 2006-04-27 20:37:09.000000000 +0200
+++ linux-2.6.17-rc3/net/core/link_watch.c 2006-04-27 21:49:00.000000000 +0200
@@ -32,8 +32,8 @@
LW_SE_USED
};
+static u64 linkwatch_nextevent;
static unsigned long linkwatch_flags;
-static unsigned long linkwatch_nextevent;
static void linkwatch_event(void *dummy);
static DECLARE_WORK(linkwatch_work, linkwatch_event, NULL);
@@ -136,7 +136,7 @@
* cause a storm of messages on the netlink
* socket
*/
- linkwatch_nextevent = jiffies + HZ;
+ linkwatch_nextevent = get_jiffies_64() + HZ;
clear_bit(LW_RUNNING, &linkwatch_flags);
rtnl_lock();
@@ -170,7 +170,7 @@
spin_unlock_irqrestore(&lweventlist_lock, flags);
if (!test_and_set_bit(LW_RUNNING, &linkwatch_flags)) {
- unsigned long thisevent = jiffies;
+ u64 thisevent = get_jiffies_64();
if (thisevent >= linkwatch_nextevent) {
schedule_work(&linkwatch_work);
^ permalink raw reply
* [PATCH] Documentation: add missing operstates.txt
From: Stefan Rompf @ 2006-05-07 10:18 UTC (permalink / raw)
To: netdev
Hi,
seems documentation got lost when the RFC2863-patch was applied. Having
documentation is good, so I resend it ;-)
Signed-off-by: Stefan Rompf <stefan@loplof.de>
--- /dev/null 2005-03-19 20:36:14.000000000 +0100
+++ linux-2.6.17-rc3/Documentation/networking/operstates.txt 2006-04-27 22:15:23.000000000 +0200
@@ -0,0 +1,161 @@
+
+1. Introduction
+
+Linux distinguishes between administrative and operational state of an
+interface. Admininstrative state is the result of "ip link set dev
+<dev> up or down" and reflects whether the administrator wants to use
+the device for traffic.
+
+However, an interface is not usable just because the admin enabled it
+- ethernet requires to be plugged into the switch and, depending on
+a site's networking policy and configuration, an 802.1X authentication
+to be performed before user data can be transferred. Operational state
+shows the ability of an interface to transmit this user data.
+
+Thanks to 802.1X, userspace must be granted the possibility to
+influence operational state. To accommodate this, operational state is
+split into two parts: Two flags that can be set by the driver only, and
+a RFC2863 compatible state that is derived from these flags, a policy,
+and changeable from userspace under certain rules.
+
+
+2. Querying from userspace
+
+Both admin and operational state can be queried via the netlink
+operation RTM_GETLINK. It is also possible to subscribe to RTMGRP_LINK
+to be notified of updates. This is important for setting from userspace.
+
+These values contain interface state:
+
+ifinfomsg::if_flags & IFF_UP:
+ Interface is admin up
+ifinfomsg::if_flags & IFF_RUNNING:
+ Interface is in RFC2863 operational state UP or UNKNOWN. This is for
+ backward compatibility, routing daemons, dhcp clients can use this
+ flag to determine whether they should use the interface.
+ifinfomsg::if_flags & IFF_LOWER_UP:
+ Driver has signaled netif_carrier_on()
+ifinfomsg::if_flags & IFF_DORMANT:
+ Driver has signaled netif_dormant_on()
+
+These interface flags can also be queried without netlink using the
+SIOCGIFFLAGS ioctl.
+
+TLV IFLA_OPERSTATE
+
+contains RFC2863 state of the interface in numeric representation:
+
+IF_OPER_UNKNOWN (0):
+ Interface is in unknown state, neither driver nor userspace has set
+ operational state. Interface must be considered for user data as
+ setting operational state has not been implemented in every driver.
+IF_OPER_NOTPRESENT (1):
+ Unused in current kernel (notpresent interfaces normally disappear),
+ just a numerical placeholder.
+IF_OPER_DOWN (2):
+ Interface is unable to transfer data on L1, f.e. ethernet is not
+ plugged or interface is ADMIN down.
+IF_OPER_LOWERLAYERDOWN (3):
+ Interfaces stacked on an interface that is IF_OPER_DOWN show this
+ state (f.e. VLAN).
+IF_OPER_TESTING (4):
+ Unused in current kernel.
+IF_OPER_DORMANT (5):
+ Interface is L1 up, but waiting for an external event, f.e. for a
+ protocol to establish. (802.1X)
+IF_OPER_UP (6):
+ Interface is operational up and can be used.
+
+This TLV can also be queried via sysfs.
+
+TLV IFLA_LINKMODE
+
+contains link policy. This is needed for userspace interaction
+described below.
+
+This TLV can also be queried via sysfs.
+
+
+3. Kernel driver API
+
+Kernel drivers have access to two flags that map to IFF_LOWER_UP and
+IFF_DORMANT. These flags can be set from everywhere, even from
+interrupts. It is guaranteed that only the driver has write access,
+however, if different layers of the driver manipulate the same flag,
+the driver has to provide the synchronisation needed.
+
+__LINK_STATE_NOCARRIER, maps to !IFF_LOWER_UP:
+
+The driver uses netif_carrier_on() to clear and netif_carrier_off() to
+set this flag. On netif_carrier_off(), the scheduler stops sending
+packets. The name 'carrier' and the inversion are historical, think of
+it as lower layer.
+
+netif_carrier_ok() can be used to query that bit.
+
+__LINK_STATE_DORMANT, maps to IFF_DORMANT:
+
+Set by the driver to express that the device cannot yet be used
+because some driver controlled protocol establishment has to
+complete. Corresponding functions are netif_dormant_on() to set the
+flag, netif_dormant_off() to clear it and netif_dormant() to query.
+
+On device allocation, networking core sets the flags equivalent to
+netif_carrier_ok() and !netif_dormant().
+
+
+Whenever the driver CHANGES one of these flags, a workqueue event is
+scheduled to translate the flag combination to IFLA_OPERSTATE as
+follows:
+
+!netif_carrier_ok():
+ IF_OPER_LOWERLAYERDOWN if the interface is stacked, IF_OPER_DOWN
+ otherwise. Kernel can recognise stacked interfaces because their
+ ifindex != iflink.
+
+netif_carrier_ok() && netif_dormant():
+ IF_OPER_DORMANT
+
+netif_carrier_ok() && !netif_dormant():
+ IF_OPER_UP if userspace interaction is disabled. Otherwise
+ IF_OPER_DORMANT with the possibility for userspace to initiate the
+ IF_OPER_UP transition afterwards.
+
+
+4. Setting from userspace
+
+Applications have to use the netlink interface to influence the
+RFC2863 operational state of an interface. Setting IFLA_LINKMODE to 1
+via RTM_SETLINK instructs the kernel that an interface should go to
+IF_OPER_DORMANT instead of IF_OPER_UP when the combination
+netif_carrier_ok() && !netif_dormant() is set by the
+driver. Afterwards, the userspace application can set IFLA_OPERSTATE
+to IF_OPER_DORMANT or IF_OPER_UP as long as the driver does not set
+netif_carrier_off() or netif_dormant_on(). Changes made by userspace
+are multicasted on the netlink group RTMGRP_LINK.
+
+So basically a 802.1X supplicant interacts with the kernel like this:
+
+-subscribe to RTMGRP_LINK
+-set IFLA_LINKMODE to 1 via RTM_SETLINK
+-query RTM_GETLINK once to get initial state
+-if initial flags are not (IFF_LOWER_UP && !IFF_DORMANT), wait until
+ netlink multicast signals this state
+-do 802.1X, eventually abort if flags go down again
+-send RTM_SETLINK to set operstate to IF_OPER_UP if authentication
+ succeeds, IF_OPER_DORMANT otherwise
+-see how operstate and IFF_RUNNING is echoed via netlink multicast
+-set interface back to IF_OPER_DORMANT if 802.1X reauthentication
+ fails
+-restart if kernel changes IFF_LOWER_UP or IFF_DORMANT flag
+
+if supplicant goes down, bring back IFLA_LINKMODE to 0 and
+IFLA_OPERSTATE to a sane value.
+
+A routing daemon or dhcp client just needs to care for IFF_RUNNING or
+waiting for operstate to go IF_OPER_UP/IF_OPER_UNKNOWN before
+considering the interface / querying a DHCP address.
+
+
+For technical questions and/or comments please e-mail to Stefan Rompf
+(stefan at loplof.de).
^ permalink raw reply
* when to use ip_route_input() and not ip_route_output_key
From: benzi vizman @ 2006-05-07 11:58 UTC (permalink / raw)
To: netdev
Hi,
Can one summerize what's the cases calling each of these routing queries?
What are the differences?
Benzi.
^ permalink raw reply
* Re: Associate on 'ifconfig up'
From: Michael Buesch @ 2006-05-07 13:06 UTC (permalink / raw)
To: linville; +Cc: bcm43xx-dev, netdev, David Woodhouse
In-Reply-To: <1146939849.2503.108.camel@shinybook.infradead.org>
On Saturday 06 May 2006 20:24, David Woodhouse wrote:
> On Fri, 2006-05-05 at 17:38 +0100, David Woodhouse wrote:
> > I still need this hack to work around the fact that softmac doesn't
> > attempt to associate when we bring the device up...
>
> It'd be quite good to get this fixed in 2.6.17 too. Otherwise, the
> device doesn't manage to associate if you use the fairly common sequence
> of iwconfig then dhclient.
>
> It's a bit of an evil hack and it should really be fixed in softmac --
> but it's only moving an _existing_ hack from one place in the driver to
> another.
>
> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
John, please try to push this before 2.6.17.
Thanks.
> --- linux-2.6.16.ppc/drivers/net/wireless/bcm43xx/bcm43xx_main.c.orig 2006-05-05 17:14:26.000000000 +0100
> +++ linux-2.6.16.ppc/drivers/net/wireless/bcm43xx/bcm43xx_main.c 2006-05-05 17:15:19.000000000 +0100
> @@ -3263,6 +3263,9 @@ static int bcm43xx_init_board(struct bcm
> bcm43xx_sysfs_register(bcm);
> //FIXME: check for bcm43xx_sysfs_register failure. This function is a bit messy regarding unwinding, though...
>
> + /*FIXME: This should be handled by softmac instead. */
> + schedule_work(&bcm->softmac->associnfo.work);
> +
> assert(err == 0);
> out:
> return err;
> @@ -3937,9 +3940,6 @@ static int bcm43xx_resume(struct pci_dev
>
> netif_device_attach(net_dev);
>
> - /*FIXME: This should be handled by softmac instead. */
> - schedule_work(&bcm->softmac->associnfo.work);
> -
> dprintk(KERN_INFO PFX "Device resumed.\n");
>
> return 0;
>
--
Greetings Michael.
^ permalink raw reply
* [PATCH] phy: new SMSC LAN83C185 PHY driver
From: Herbert Valerio Riedel @ 2006-05-07 13:13 UTC (permalink / raw)
To: afleming; +Cc: netdev
new SMSC LAN83C185 10BaseT/100BaseTX PHY driver for the PHY subsystem
Signed-off-by: Herbert Valerio Riedel <hvr@gnu.org>
---
drivers/net/phy/Kconfig | 6 ++
drivers/net/phy/Makefile | 1
drivers/net/phy/smsc.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 141 insertions(+), 0 deletions(-)
create mode 100644 drivers/net/phy/smsc.c
15ab98f0ecaf1fb161d0832a118c93976531af66
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index fa39b94..cda3e53 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -45,5 +45,11 @@ config CICADA_PHY
---help---
Currently supports the cis8204
+config SMSC_PHY
+ tristate "Drivers for SMSC PHYs"
+ depends on PHYLIB
+ ---help---
+ Currently supports the LAN83C185 PHY
+
endmenu
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index e4116a5..d961413 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -8,3 +8,4 @@ obj-$(CONFIG_DAVICOM_PHY) += davicom.o
obj-$(CONFIG_CICADA_PHY) += cicada.o
obj-$(CONFIG_LXT_PHY) += lxt.o
obj-$(CONFIG_QSEMI_PHY) += qsemi.o
+obj-$(CONFIG_SMSC_PHY) += smsc.o
diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
new file mode 100644
index 0000000..b96eb52
--- /dev/null
+++ b/drivers/net/phy/smsc.c
@@ -0,0 +1,134 @@
+/*
+ * drivers/net/phy/smsc.c
+ *
+ * Driver for SMSC PHYs
+ *
+ * Author: Herbert Valerio Riedel
+ *
+ * Copyright (c) 2006 Herbert Valerio Riedel <hvr@gnu.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ */
+
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/mii.h>
+#include <linux/ethtool.h>
+#include <linux/phy.h>
+#include <linux/netdevice.h>
+
+#define MII_LAN83C185_ISF 29 /* Interrupt Source Flags */
+#define MII_LAN83C185_IM 30 /* Interrupt Mask */
+
+#define MII_LAN83C185_ISF_INT1 (1<<1) /* Auto-Negotiation Page Received */
+#define MII_LAN83C185_ISF_INT2 (1<<2) /* Parallel Detection Fault */
+#define MII_LAN83C185_ISF_INT3 (1<<3) /* Auto-Negotiation LP Ack */
+#define MII_LAN83C185_ISF_INT4 (1<<4) /* Link Down */
+#define MII_LAN83C185_ISF_INT5 (1<<5) /* Remote Fault Detected */
+#define MII_LAN83C185_ISF_INT6 (1<<6) /* Auto-Negotiation complete */
+#define MII_LAN83C185_ISF_INT7 (1<<7) /* ENERGYON */
+
+#define MII_LAN83C185_ISF_INT_ALL (0x0e)
+
+#define MII_LAN83C185_ISF_INT_PHYLIB_EVENTS \
+ (MII_LAN83C185_ISF_INT6 | MII_LAN83C185_ISF_INT4)
+
+/* prototypes */
+static int lan83c185_config_init(struct phy_device *);
+static int lan83c185_config_intr(struct phy_device *);
+static int lan83c185_ack_interrupt(struct phy_device *);
+
+
+static int lan83c185_config_init(struct phy_device *phydev)
+{
+ pr_debug ("%s: config_init\n", phydev->attached_dev->name);
+
+ return lan83c185_ack_interrupt (phydev);
+}
+
+static int lan83c185_config_intr(struct phy_device *phydev)
+{
+ int rc = phy_write (phydev, MII_LAN83C185_IM,
+ ((PHY_INTERRUPT_ENABLED == phydev->interrupts)
+ ? MII_LAN83C185_ISF_INT_PHYLIB_EVENTS
+ : 0));
+
+ pr_debug ("%s: config_intr %x (rc=%.4x)\n",
+ phydev->attached_dev->name, phydev->interrupts, rc);
+
+ return rc < 0 ? rc : 0;
+}
+
+static int lan83c185_ack_interrupt(struct phy_device *phydev)
+{
+ int rc = phy_read (phydev, MII_LAN83C185_ISF);
+
+ pr_debug ("%s: ack_interrupt (masked ISF=%.4x, raw ISF: %.4x)\n",
+ phydev->attached_dev->name,
+ rc & MII_LAN83C185_ISF_INT_PHYLIB_EVENTS, rc);
+
+ return rc < 0 ? rc : 0;
+}
+
+static struct phy_driver lan83c185_driver = {
+ .phy_id = 0x0007c0a0, /* OUI=0x00800f, Model#=0x0a */
+ .phy_id_mask = 0xfffffff0,
+ .name = "SMSC LAN83C185",
+
+ .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause
+ | SUPPORTED_Asym_Pause),
+ .flags = PHY_HAS_INTERRUPT | PHY_HAS_MAGICANEG,
+
+ /* basic functions */
+ .config_aneg = genphy_config_aneg,
+ .read_status = genphy_read_status,
+ .config_init = lan83c185_config_init,
+
+ /* IRQ related */
+ .ack_interrupt = lan83c185_ack_interrupt,
+ .config_intr = lan83c185_config_intr,
+
+ .driver = { .owner = THIS_MODULE, }
+};
+
+static int __init smsc_init(void)
+{
+ int rc;
+
+ if ((rc = phy_driver_register (&lan83c185_driver)))
+ goto err_register_lan83c185_driver;
+
+ return 0;
+
+ /* phy_driver_unregister (&lan83c185_driver); */
+ err_register_lan83c185_driver:
+ return rc;
+}
+
+static void __exit smsc_exit(void)
+{
+ phy_driver_unregister (&lan83c185_driver);
+}
+
+MODULE_DESCRIPTION("SMSC PHY driver");
+MODULE_AUTHOR("Herbert Valerio Riedel");
+MODULE_LICENSE("GPL");
+
+module_init(smsc_init);
+module_exit(smsc_exit);
+
+/*
+ * Overrides for Emacs so that we follow Linus's tabbing style.
+ * Emacs will notice this stuff at the end of the file and automatically
+ * adjust the settings for this buffer only. This must remain at the end
+ * of the file.
+ * ---------------------------------------------------------------------------
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ */
--
1.2.6
^ permalink raw reply related
* [RFC] SECMARK 1.0
From: James Morris @ 2006-05-07 15:31 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
The following patchsets implement a new scheme for adding security
markings to packets via iptables, as well as changes to SELinux to use
these markings for security policy enforcement.
Along with these patches, assorted files including policy examples and
patches for SELinux userland may be found at:
http://people.redhat.com/jmorris/selinux/secmark/
The requirements for secmark arise from the current per-packet network
controls in SELinux, which are rudimentary, and not as expressive or
powerful as the controls provided by Netfilter/iptables.
Thus, the idea is to leverage Netfilter/iptables for packet selection and
labeling, so that SELinux can have more powerful and expressive network
controls. This also allows for increased security, as the policy is more
effective, allowing access to the full range of iptables selectors and
support mechanisms.
For example, SELinux will now be able to utilize connection tracking, so
that only packets which are known to be valid for a specific connection
will be allowed to reach the subject.
Sample iptables rules for labeling packets are at:
http://people.redhat.com/jmorris/selinux/secmark/rules/
And examples of new policy controls may be found here:
http://people.redhat.com/jmorris/selinux/secmark/policy/
The sample policy for ftpd demonstrates how the vsftpd server can be
confined so that it only receives SYN packets on the ftp control port for
new connections, as well as any packets related to the ftp control or data
connections and related ICMP packets. It is also allowed to send DNS
requests.
Note that only the per-packet network controls are being replaced -- the
existing socket-based controls such as name_bind, node_bind and
name_connect are being retained as they are useful for applications in
that they return error messages in response to socket calls, and prevent,
for example, an application from binding to specific local IP addresses.
Also, this local packet marking is orthogonal to the xfrm network labeling
(which is for mediating access based on the security context of the
endpoints across a network connection).
Please review these patches and let me know if there are any queries.
I would like to get the kernel components upstream in the 2.6.18 merge
window.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply
* Re: [rfc][patch] ipvs: use proper timeout instead of fixed value
From: Wensong Zhang @ 2006-05-07 15:32 UTC (permalink / raw)
To: Andy Gospodarek; +Cc: netdev, horms, ja
In-Reply-To: <20060504201116.GA24394@gospo.rdu.redhat.com>
Hi Andy,
Yes, the original sychronziation design is a sort of arbitary or
compromised solution. We don't want to synchronize every state change from
master to backup load balancer, because we were afraid that there were too
much state change synchronization messages and there would be some
performance penalty. So, we only sychronize the connection of TCP
ESTABLISHED state or UDP to backup load balancer, and use the timeout of 3
minutes.
Your change is probably ok, but we should be aware that it may create a
lot of connection entries at backup load balancer for TCP applications,
which is much more than that at master load balancer, because there is no
connection close synchronization and timeout is changed to 3 minutes to 15
minutes.
The simple solution is probably to make timeout value tuneable, so that
users can tune it for their application. The better solution is to
synchronize very connection state change from master to backup, so that
backup have almost the same state of connections.
Thanks,
Wensong
On Thu, 4 May 2006, Andy Gospodarek wrote:
>
> Instead of using the default timeout of 3 minutes, this uses the timeout
> specific to the protocol used for the connection. The 3 minute timeout
> seems somewhat arbitrary (though I know it is used other places in the
> ipvs code) and when failing over it would be much nicer to use one of
> the configured timeout values.
>
> Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
> ---
>
> ip_vs_sync.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/ipvs/ip_vs_sync.c b/net/ipv4/ipvs/ip_vs_sync.c
> --- a/net/ipv4/ipvs/ip_vs_sync.c
> +++ b/net/ipv4/ipvs/ip_vs_sync.c
> @@ -67,7 +67,6 @@ struct ip_vs_sync_conn_options {
> struct ip_vs_seq out_seq; /* outgoing seq. struct */
> };
>
> -#define IP_VS_SYNC_CONN_TIMEOUT (3*60*HZ)
> #define SIMPLE_CONN_SIZE (sizeof(struct ip_vs_sync_conn))
> #define FULL_CONN_SIZE \
> (sizeof(struct ip_vs_sync_conn) + sizeof(struct ip_vs_sync_conn_options))
> @@ -279,6 +278,7 @@ static void ip_vs_process_message(const
> struct ip_vs_sync_conn *s;
> struct ip_vs_sync_conn_options *opt;
> struct ip_vs_conn *cp;
> + struct ip_vs_protocol *pp;
> char *p;
> int i;
>
> @@ -337,7 +337,8 @@ static void ip_vs_process_message(const
> p += SIMPLE_CONN_SIZE;
>
> atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
> - cp->timeout = IP_VS_SYNC_CONN_TIMEOUT;
> + pp = ip_vs_proto_get(s->protocol);
> + cp->timeout = pp->timeout_table[cp->state];
> ip_vs_conn_put(cp);
>
> if (p > buffer+buflen) {
>
^ permalink raw reply
* [RFC] [SECMARK 01/08] Add secmark support to core networking
From: James Morris @ 2006-05-07 15:33 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds a secmark field to the skbuff structure, to allow security
subsystems to place security markings on network packets. This is similar
to the nfmark field, except is intended for implementing security policy,
rather than than networking policy.
This patch was already acked in principle by Dave Miller.
Signed-off-by: James Morris <jmorris@namei.org>
---
include/linux/skbuff.h | 22 ++++++++++++++++++++++
net/Kconfig | 7 +++++++
net/core/skbuff.c | 3 ++-
net/ipv4/ip_output.c | 1 +
net/ipv4/netfilter/ipt_REJECT.c | 1 +
net/ipv6/ip6_output.c | 1 +
6 files changed, 34 insertions(+), 1 deletion(-)
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/include/linux/skbuff.h linux-2.6.17-rc2-mm1.w/include/linux/skbuff.h
--- linux-2.6.17-rc2-mm1.p/include/linux/skbuff.h 2006-04-27 10:44:26.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/include/linux/skbuff.h 2006-04-27 23:43:32.000000000 -0400
@@ -209,6 +209,7 @@ enum {
* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
* @tc_index: Traffic control index
* @tc_verd: traffic control verdict
+ * @secmark: security marking
*/
struct sk_buff {
@@ -285,6 +286,9 @@ struct sk_buff {
__u16 tc_verd; /* traffic control verdict */
#endif
#endif
+#ifdef CONFIG_NETWORK_SECMARK
+ __u32 secmark;
+#endif
/* These elements must be at the end, see alloc_skb() for details. */
@@ -1396,5 +1400,23 @@ static inline void nf_reset(struct sk_bu
static inline void nf_reset(struct sk_buff *skb) {}
#endif /* CONFIG_NETFILTER */
+#ifdef CONFIG_NETWORK_SECMARK
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{
+ to->secmark = from->secmark;
+}
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{
+ skb->secmark = 0;
+}
+#else
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{ }
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{ }
+#endif
+
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/net/core/skbuff.c linux-2.6.17-rc2-mm1.w/net/core/skbuff.c
--- linux-2.6.17-rc2-mm1.p/net/core/skbuff.c 2006-04-27 10:44:26.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/net/core/skbuff.c 2006-04-27 23:43:32.000000000 -0400
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff
n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
C(input_dev);
#endif
-
+ skb_copy_secmark(n, skb);
#endif
C(truesize);
atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_bu
#endif
new->tc_index = old->tc_index;
#endif
+ skb_copy_secmark(new, old);
atomic_set(&new->users, 1);
skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/net/ipv4/ip_output.c linux-2.6.17-rc2-mm1.w/net/ipv4/ip_output.c
--- linux-2.6.17-rc2-mm1.p/net/ipv4/ip_output.c 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/net/ipv4/ip_output.c 2006-04-27 23:43:32.000000000 -0400
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_b
nf_bridge_get(to->nf_bridge);
#endif
#endif
+ skb_copy_secmark(to, from);
}
/*
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/net/ipv4/netfilter/ipt_REJECT.c linux-2.6.17-rc2-mm1.w/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.6.17-rc2-mm1.p/net/ipv4/netfilter/ipt_REJECT.c 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/net/ipv4/netfilter/ipt_REJECT.c 2006-04-27 23:43:32.000000000 -0400
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *o
/* This packet will not be the same as the other: clear nf fields */
nf_reset(nskb);
nskb->nfmark = 0;
+ skb_init_secmark(nskb);
tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/net/ipv6/ip6_output.c linux-2.6.17-rc2-mm1.w/net/ipv6/ip6_output.c
--- linux-2.6.17-rc2-mm1.p/net/ipv6/ip6_output.c 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/net/ipv6/ip6_output.c 2006-04-27 23:43:32.000000000 -0400
@@ -458,6 +458,7 @@ static void ip6_copy_metadata(struct sk_
nf_bridge_get(to->nf_bridge);
#endif
#endif
+ skb_copy_secmark(to, from);
}
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/net/Kconfig linux-2.6.17-rc2-mm1.w/net/Kconfig
--- linux-2.6.17-rc2-mm1.p/net/Kconfig 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/net/Kconfig 2006-04-27 23:43:32.000000000 -0400
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
endif # if INET
+config NETWORK_SECMARK
+ bool "Security Marking"
+ help
+ This enables security marking of network packets, similar
+ to nfmark, but designated for security purposes.
+ If you are unsure how to answer this question, answer N.
+
menuconfig NETFILTER
bool "Network packet filtering (replaces ipchains)"
---help---
^ permalink raw reply
* [RFC][SECMARK 02/08] Export selinux_string_to_sid from SELinux
From: James Morris @ 2006-05-07 15:34 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch exports adds a new function to the in-kernel
SELinux API: selinux_string_to_sid(). It maps a text
security context to an SELiux security ID (SID).
Signed-off-by: James Morris <jmorris@namei.org>
---
include/linux/selinux.h | 16 ++++++++++++++++
security/selinux/exports.c | 11 +++++++++++
2 files changed, 27 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/include/linux/selinux.h linux-2.6.17-rc2-mm1.w/include/linux/selinux.h
--- linux-2.6.17-rc2-mm1.p/include/linux/selinux.h 2006-04-27 10:44:26.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/include/linux/selinux.h 2006-04-28 00:53:27.000000000 -0400
@@ -118,6 +118,16 @@ void selinux_get_ipc_sid(const struct ke
*/
void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
+/**
+ * selinux_string_to_sid - map a security context string to a security ID
+ * @str: the security context string to be mapped
+ * @sid: ID value returned via this.
+ *
+ * Returns 0 if successful, with the SID stored in sid. A value
+ * of zero for sid indicates no SID could be determined (but no error
+ * occurred).
+ */
+int selinux_string_to_sid(char *str, u32 *sid);
#else
@@ -172,6 +182,12 @@ static inline void selinux_get_task_sid(
*sid = 0;
}
+static inline int selinux_string_to_sid(const char *str, u32 *sid)
+{
+ *sid = 0;
+ return 0;
+}
+
#endif /* CONFIG_SECURITY_SELINUX */
#endif /* _LINUX_SELINUX_H */
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/security/selinux/exports.c linux-2.6.17-rc2-mm1.w/security/selinux/exports.c
--- linux-2.6.17-rc2-mm1.p/security/selinux/exports.c 2006-04-27 10:44:26.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/security/selinux/exports.c 2006-04-28 00:51:25.000000000 -0400
@@ -72,3 +72,14 @@ void selinux_get_task_sid(struct task_st
*sid = 0;
}
+int selinux_string_to_sid(char *str, u32 *sid)
+{
+ if (selinux_enabled)
+ return security_context_to_sid(str, strlen(str), sid);
+ else {
+ *sid = 0;
+ return 0;
+ }
+}
+EXPORT_SYMBOL_GPL(selinux_string_to_sid);
+
^ permalink raw reply
* [RFC][SECMARK 03/08] Add xtables SECMARK target
From: James Morris @ 2006-05-07 15:35 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds a SECMARK target to xtables, allowing
the admin to apply security marks to packets via both
iptables and ip6tables.
The target currently handles SELinux security marking,
but can be extended for other purposes as needed.
Signed-off-by: James Morris <jmorris@namei.org>
---
include/linux/netfilter/xt_SECMARK.h | 26 ++++++
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1
net/netfilter/xt_SECMARK.c | 150 +++++++++++++++++++++++++++++++++++
4 files changed, 186 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc2.p/include/linux/netfilter/xt_SECMARK.h linux-2.6.17-rc2.w/include/linux/netfilter/xt_SECMARK.h
--- linux-2.6.17-rc2.p/include/linux/netfilter/xt_SECMARK.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc2.w/include/linux/netfilter/xt_SECMARK.h 2006-04-25 02:35:45.000000000 -0400
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SELCTX_MAX 256
+
+struct xt_secmark_target_selinux_info {
+ u_int32_t selsid;
+ char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+ u_int8_t mode;
+ union {
+ struct xt_secmark_target_selinux_info sel;
+ } u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff -purN -X dontdiff linux-2.6.17-rc2.p/net/netfilter/Kconfig linux-2.6.17-rc2.w/net/netfilter/Kconfig
--- linux-2.6.17-rc2.p/net/netfilter/Kconfig 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2.w/net/netfilter/Kconfig 2006-04-25 00:22:27.000000000 -0400
@@ -174,6 +174,15 @@ config NETFILTER_XT_TARGET_NOTRACK
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_TARGET_SECMARK
+ tristate '"SECMARK" target support'
+ depends on NETFILTER_XTABLES && NETWORK_SECMARK
+ help
+ The SECMARK target allows security marking of network
+ packets, for use with security subsystems.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_XTABLES
diff -purN -X dontdiff linux-2.6.17-rc2.p/net/netfilter/Makefile linux-2.6.17-rc2.w/net/netfilter/Makefile
--- linux-2.6.17-rc2.p/net/netfilter/Makefile 2006-04-19 23:31:25.000000000 -0400
+++ linux-2.6.17-rc2.w/net/netfilter/Makefile 2006-04-25 00:22:27.000000000 -0400
@@ -28,6 +28,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMAR
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff -purN -X dontdiff linux-2.6.17-rc2.p/net/netfilter/xt_SECMARK.c linux-2.6.17-rc2.w/net/netfilter/xt_SECMARK.c
--- linux-2.6.17-rc2.p/net/netfilter/xt_SECMARK.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.17-rc2.w/net/netfilter/xt_SECMARK.c 2006-04-25 02:45:58.000000000 -0400
@@ -0,0 +1,150 @@
+/*
+ * Module for modifying the secmark field of the skb, for use by
+ * security subsystems.
+ *
+ * Based on the nfmark match by:
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ *
+ * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/selinux.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
+MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_ALIAS("ipt_SECMARK");
+MODULE_ALIAS("ip6t_SECMARK");
+
+#define PFX "SECMARK: "
+
+static u8 mode;
+
+static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target,
+ const void *targinfo, void *userinfo)
+{
+ u32 secmark = 0;
+ const struct xt_secmark_target_info *info = targinfo;
+
+ BUG_ON(info->mode != mode);
+
+ switch (mode) {
+ case SECMARK_MODE_SEL:
+ secmark = info->u.sel.selsid;
+ break;
+
+ default:
+ BUG();
+ }
+
+ if ((*pskb)->secmark != secmark)
+ (*pskb)->secmark = secmark;
+
+ return XT_CONTINUE;
+}
+
+static int checkentry_selinux(struct xt_secmark_target_info *info)
+{
+ int err;
+ struct xt_secmark_target_selinux_info *sel = &info->u.sel;
+
+ err = selinux_string_to_sid(sel->selctx, &sel->selsid);
+ if (err) {
+ if (err == -EINVAL)
+ printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
+ sel->selctx);
+ return 0;
+ }
+
+ if (!sel->selsid) {
+ printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
+ sel->selctx);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int checkentry(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int targinfosize, unsigned int hook_mask)
+{
+ struct xt_secmark_target_info *info = targinfo;
+
+ if (mode && mode != info->mode) {
+ printk(KERN_INFO PFX "mode already set to %hhu cannot mix with "
+ "rules for mode %hhu\n", mode, info->mode);
+ return 0;
+ }
+
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ if (!checkentry_selinux(info))
+ return 0;
+ break;
+
+ default:
+ printk(KERN_INFO PFX "invalid mode: %hhu\n", info->mode);
+ return 0;
+ }
+
+ if (!mode)
+ mode = info->mode;
+ return 1;
+}
+
+static struct xt_target ipt_secmark_reg = {
+ .name = "SECMARK",
+ .target = target,
+ .targetsize = sizeof(struct xt_secmark_target_info),
+ .table = "mangle",
+ .checkentry = checkentry,
+ .me = THIS_MODULE,
+ .family = AF_INET,
+ .revision = 0,
+};
+
+static struct xt_target ip6t_secmark_reg = {
+ .name = "SECMARK",
+ .target = target,
+ .targetsize = sizeof(struct xt_secmark_target_info),
+ .table = "mangle",
+ .checkentry = checkentry,
+ .me = THIS_MODULE,
+ .family = AF_INET6,
+ .revision = 0,
+};
+
+static int __init xt_secmark_init(void)
+{
+ int err;
+
+ err = xt_register_target(&ipt_secmark_reg);
+ if (err)
+ return err;
+
+ err = xt_register_target(&ip6t_secmark_reg);
+ if (err)
+ xt_unregister_target(&ipt_secmark_reg);
+
+ return err;
+}
+
+static void __exit xt_secmark_fini(void)
+{
+ xt_unregister_target(&ip6t_secmark_reg);
+ xt_unregister_target(&ipt_secmark_reg);
+}
+
+module_init(xt_secmark_init);
+module_exit(xt_secmark_fini);
^ permalink raw reply
* [RFC][SECMARK 04/08] Add new flask definitions to SELinux
From: James Morris @ 2006-05-07 15:36 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds support for a new object class ('packet'),
and two associated permissions ('send', 'recv'). These
are used to enforce security policy for network packets
labeled with SECMARK.
Signed-off-by: James Morris <jmorris@namei.org>
---
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/security/selinux/include/av_permissions.h linux-2.6.17-rc2-mm1.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-rc2-mm1.p/security/selinux/include/av_permissions.h 2006-05-01 16:51:36.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/security/selinux/include/av_permissions.h 2006-05-01 16:52:14.000000000 -0400
@@ -933,3 +933,6 @@
#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
+#define PACKET__SEND 0x00000001UL
+#define PACKET__RECV 0x00000002UL
+
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/security/selinux/include/av_perm_to_string.h linux-2.6.17-rc2-mm1.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-rc2-mm1.p/security/selinux/include/av_perm_to_string.h 2006-05-01 16:51:36.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/security/selinux/include/av_perm_to_string.h 2006-05-01 16:52:14.000000000 -0400
@@ -239,3 +239,5 @@
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+ S_(SECCLASS_PACKET, PACKET__SEND, "send")
+ S_(SECCLASS_PACKET, PACKET__RECV, "recv")
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/security/selinux/include/class_to_string.h linux-2.6.17-rc2-mm1.w/security/selinux/include/class_to_string.h
--- linux-2.6.17-rc2-mm1.p/security/selinux/include/class_to_string.h 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.17-rc2-mm1.w/security/selinux/include/class_to_string.h 2006-05-01 16:52:14.000000000 -0400
@@ -58,3 +58,4 @@
S_("nscd")
S_("association")
S_("netlink_kobject_uevent_socket")
+ S_("packet")
diff -purN -X dontdiff linux-2.6.17-rc2-mm1.p/security/selinux/include/flask.h linux-2.6.17-rc2-mm1.w/security/selinux/include/flask.h
--- linux-2.6.17-rc2-mm1.p/security/selinux/include/flask.h 2006-05-01 16:51:36.000000000 -0400
+++ linux-2.6.17-rc2-mm1.w/security/selinux/include/flask.h 2006-05-01 16:52:14.000000000 -0400
@@ -60,6 +60,7 @@
#define SECCLASS_NSCD 53
#define SECCLASS_ASSOCIATION 54
#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
+#define SECCLASS_PACKET 56
/*
* Security identifier indices for initial entities
^ permalink raw reply
* [RFC][SECMARK 05/08] Add new packet controls to SELinux
From: James Morris @ 2006-05-07 15:37 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds new per-packet access controls to SELinux, replacing the
old packet controls.
Packets are labeled with the iptables SECMARK target then security policy
for the packets is enforced with these controls.
To allow for a smooth transition to the new controls, the old code is
still present, but not active by default. To restore previous behavior,
the old controls may be activated at runtime by writing a '1' to
/selinux/compat_net. Switching between the network control models
requires the security load_policy permission. The old controls will
probably eventually be removed.
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/hooks.c | 241 +++++++++++++++++++++-------------------
security/selinux/include/xfrm.h | 2
security/selinux/selinuxfs.c | 52 ++++++++
security/selinux/xfrm.c | 12 -
4 files changed, 188 insertions(+), 119 deletions(-)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/hooks.c linux-2.6.17-rc3-git7.w/security/selinux/hooks.c
--- linux-2.6.17-rc3-git7.p/security/selinux/hooks.c 2006-05-03 10:25:11.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/hooks.c 2006-05-07 01:02:35.000000000 -0400
@@ -80,6 +80,7 @@
extern unsigned int policydb_loaded_version;
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
+extern int selinux_compat_net;
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0;
@@ -3212,47 +3213,16 @@ static int selinux_socket_unix_may_send(
return 0;
}
-static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, struct avc_audit_data *ad,
+ u32 sock_sid, u16 sock_class, u16 family, char *addrp, int len)
{
- u16 family;
- char *addrp;
- int len, err = 0;
+ int err = 0;
u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
- u32 sock_sid = 0;
- u16 sock_class = 0;
- struct socket *sock;
- struct net_device *dev;
- struct avc_audit_data ad;
- family = sk->sk_family;
- if (family != PF_INET && family != PF_INET6)
+ if (!skb->dev)
goto out;
- /* Handle mapped IPv4 packets arriving via IPv6 sockets */
- if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
- family = PF_INET;
-
- read_lock_bh(&sk->sk_callback_lock);
- sock = sk->sk_socket;
- if (sock) {
- struct inode *inode;
- inode = SOCK_INODE(sock);
- if (inode) {
- struct inode_security_struct *isec;
- isec = inode->i_security;
- sock_sid = isec->sid;
- sock_class = isec->sclass;
- }
- }
- read_unlock_bh(&sk->sk_callback_lock);
- if (!sock_sid)
- goto out;
-
- dev = skb->dev;
- if (!dev)
- goto out;
-
- err = sel_netif_sids(dev, &if_sid, NULL);
+ err = sel_netif_sids(skb->dev, &if_sid, NULL);
if (err)
goto out;
@@ -3275,44 +3245,88 @@ static int selinux_socket_sock_rcv_skb(s
break;
}
- AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = dev->name;
- ad.u.net.family = family;
-
- err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
- if (err)
- goto out;
-
- err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
+ err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
if (err)
goto out;
- /* Fixme: this lookup is inefficient */
err = security_node_sid(family, addrp, len, &node_sid);
if (err)
goto out;
- err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
+ err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
if (err)
goto out;
if (recv_perm) {
u32 port_sid;
- /* Fixme: make this more efficient */
err = security_port_sid(sk->sk_family, sk->sk_type,
- sk->sk_protocol, ntohs(ad.u.net.sport),
+ sk->sk_protocol, ntohs(ad->u.net.sport),
&port_sid);
if (err)
goto out;
err = avc_has_perm(sock_sid, port_sid,
- sock_class, recv_perm, &ad);
+ sock_class, recv_perm, ad);
}
- if (!err)
- err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
+out:
+ return err;
+}
+
+static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+ u16 family;
+ u16 sock_class = 0;
+ char *addrp;
+ int len, err = 0;
+ u32 sock_sid = 0;
+ struct socket *sock;
+ struct avc_audit_data ad;
+
+ family = sk->sk_family;
+ if (family != PF_INET && family != PF_INET6)
+ goto out;
+
+ /* Handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
+ family = PF_INET;
+
+ read_lock_bh(&sk->sk_callback_lock);
+ sock = sk->sk_socket;
+ if (sock) {
+ struct inode *inode;
+ inode = SOCK_INODE(sock);
+ if (inode) {
+ struct inode_security_struct *isec;
+ isec = inode->i_security;
+ sock_sid = isec->sid;
+ sock_class = isec->sclass;
+ }
+ }
+ read_unlock_bh(&sk->sk_callback_lock);
+ if (!sock_sid)
+ goto out;
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+ ad.u.net.family = family;
+
+ err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
+ if (err)
+ goto out;
+
+ if (selinux_compat_net)
+ err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
+ sock_class, family,
+ addrp, len);
+ else
+ err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__RECV, &ad);
+ if (err)
+ goto out;
+ err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
out:
return err;
}
@@ -3452,42 +3466,18 @@ out:
#ifdef CONFIG_NETFILTER
-static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
- struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *),
- u16 family)
+static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
+ struct inode_security_struct *isec,
+ struct avc_audit_data *ad,
+ u16 family, char *addrp, int len)
{
- char *addrp;
- int len, err = NF_ACCEPT;
+ int err;
u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
- struct sock *sk;
- struct socket *sock;
- struct inode *inode;
- struct sk_buff *skb = *pskb;
- struct inode_security_struct *isec;
- struct avc_audit_data ad;
- struct net_device *dev = (struct net_device *)out;
- sk = skb->sk;
- if (!sk)
- goto out;
-
- sock = sk->sk_socket;
- if (!sock)
- goto out;
-
- inode = SOCK_INODE(sock);
- if (!inode)
- goto out;
-
err = sel_netif_sids(dev, &if_sid, NULL);
if (err)
goto out;
- isec = inode->i_security;
-
switch (isec->sclass) {
case SECCLASS_UDP_SOCKET:
netif_perm = NETIF__UDP_SEND;
@@ -3507,55 +3497,88 @@ static unsigned int selinux_ip_postroute
break;
}
-
- AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = dev->name;
- ad.u.net.family = family;
-
- err = selinux_parse_skb(skb, &ad, &addrp,
- &len, 0) ? NF_DROP : NF_ACCEPT;
- if (err != NF_ACCEPT)
- goto out;
-
- err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
- netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
- if (err != NF_ACCEPT)
+ err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+ if (err)
goto out;
- /* Fixme: this lookup is inefficient */
- err = security_node_sid(family, addrp, len,
- &node_sid) ? NF_DROP : NF_ACCEPT;
- if (err != NF_ACCEPT)
+ err = security_node_sid(family, addrp, len, &node_sid);
+ if (err)
goto out;
- err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
- node_perm, &ad) ? NF_DROP : NF_ACCEPT;
- if (err != NF_ACCEPT)
+ err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
+ if (err)
goto out;
if (send_perm) {
u32 port_sid;
- /* Fixme: make this more efficient */
err = security_port_sid(sk->sk_family,
sk->sk_type,
sk->sk_protocol,
- ntohs(ad.u.net.dport),
- &port_sid) ? NF_DROP : NF_ACCEPT;
- if (err != NF_ACCEPT)
+ ntohs(ad->u.net.dport),
+ &port_sid);
+ if (err)
goto out;
err = avc_has_perm(isec->sid, port_sid, isec->sclass,
- send_perm, &ad) ? NF_DROP : NF_ACCEPT;
+ send_perm, ad);
}
+out:
+ return err;
+}
+
+static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
+ struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *),
+ u16 family)
+{
+ char *addrp;
+ int len, err = 0;
+ struct sock *sk;
+ struct socket *sock;
+ struct inode *inode;
+ struct sk_buff *skb = *pskb;
+ struct inode_security_struct *isec;
+ struct avc_audit_data ad;
+ struct net_device *dev = (struct net_device *)out;
+
+ sk = skb->sk;
+ if (!sk)
+ goto out;
+
+ sock = sk->sk_socket;
+ if (!sock)
+ goto out;
+
+ inode = SOCK_INODE(sock);
+ if (!inode)
+ goto out;
+
+ isec = inode->i_security;
+
+ AVC_AUDIT_DATA_INIT(&ad, NET);
+ ad.u.net.netif = dev->name;
+ ad.u.net.family = family;
- if (err != NF_ACCEPT)
+ err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
+ if (err)
goto out;
- err = selinux_xfrm_postroute_last(isec->sid, skb);
+ if (selinux_compat_net)
+ err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
+ family, addrp, len);
+ else
+ err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__SEND, &ad);
+
+ if (err)
+ goto out;
+ err = selinux_xfrm_postroute_last(isec->sid, skb);
out:
- return err;
+ return err ? NF_DROP : NF_ACCEPT;
}
static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/include/xfrm.h linux-2.6.17-rc3-git7.w/security/selinux/include/xfrm.h
--- linux-2.6.17-rc3-git7.p/security/selinux/include/xfrm.h 2006-05-03 10:25:02.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/include/xfrm.h 2006-05-07 01:02:35.000000000 -0400
@@ -49,7 +49,7 @@ static inline int selinux_xfrm_sock_rcv_
static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
{
- return NF_ACCEPT;
+ return 0;
}
static inline int selinux_socket_getpeer_stream(struct sock *sk)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/selinuxfs.c linux-2.6.17-rc3-git7.w/security/selinux/selinuxfs.c
--- linux-2.6.17-rc3-git7.p/security/selinux/selinuxfs.c 2006-05-03 10:25:02.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/selinuxfs.c 2006-05-07 01:02:35.000000000 -0400
@@ -37,6 +37,7 @@
#include "conditional.h"
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
+int selinux_compat_net;
static int __init checkreqprot_setup(char *str)
{
@@ -85,6 +86,7 @@ enum sel_inos {
SEL_AVC, /* AVC management directory */
SEL_MEMBER, /* compute polyinstantiation membership decision */
SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
+ SEL_COMPAT_NET, /* whether to use old compat network packet controls */
};
#define TMPBUFLEN 12
@@ -364,6 +366,55 @@ static struct file_operations sel_checkr
.write = sel_write_checkreqprot,
};
+static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ char tmpbuf[TMPBUFLEN];
+ ssize_t length;
+
+ length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
+static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
+ size_t count, loff_t *ppos)
+{
+ char *page;
+ ssize_t length;
+ int new_value;
+
+ length = task_has_security(current, SECURITY__LOAD_POLICY);
+ if (length)
+ return length;
+
+ if (count >= PAGE_SIZE)
+ return -ENOMEM;
+ if (*ppos != 0) {
+ /* No partial writes. */
+ return -EINVAL;
+ }
+ page = (char*)get_zeroed_page(GFP_KERNEL);
+ if (!page)
+ return -ENOMEM;
+ length = -EFAULT;
+ if (copy_from_user(page, buf, count))
+ goto out;
+
+ length = -EINVAL;
+ if (sscanf(page, "%d", &new_value) != 1)
+ goto out;
+
+ selinux_compat_net = new_value ? 1 : 0;
+ length = count;
+out:
+ free_page((unsigned long) page);
+ return length;
+}
+static struct file_operations sel_compat_net_ops = {
+ .read = sel_read_compat_net,
+ .write = sel_write_compat_net,
+};
+
/*
* Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
*/
@@ -1219,6 +1270,7 @@ static int sel_fill_super(struct super_b
[SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
+ [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
/* last one */ {""}
};
ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/xfrm.c linux-2.6.17-rc3-git7.w/security/selinux/xfrm.c
--- linux-2.6.17-rc3-git7.p/security/selinux/xfrm.c 2006-05-03 10:25:02.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/xfrm.c 2006-05-07 01:02:35.000000000 -0400
@@ -356,18 +356,12 @@ int selinux_xfrm_postroute_last(u32 isec
struct xfrm_state *x = dst_test->xfrm;
if (x && selinux_authorizable_xfrm(x))
- goto accept;
+ goto out;
}
}
rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
ASSOCIATION__SENDTO, NULL);
- if (rc)
- goto drop;
-
-accept:
- return NF_ACCEPT;
-
-drop:
- return NF_DROP;
+out:
+ return rc;
}
^ permalink raw reply
* [RFC][SECMARK 06/08] Define a relabelto permission in the SELinux packet class
From: James Morris @ 2006-05-07 15:38 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch defines a new permission ('relabelto') in the new SELinux
packet object class, to be used when setting SECMARK rules for labeling
packets.
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/include/av_perm_to_string.h | 1 +
security/selinux/include/av_permissions.h | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/include/av_permissions.h linux-2.6.17-rc3-git7.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-rc3-git7.p/security/selinux/include/av_permissions.h 2006-05-03 11:34:17.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/include/av_permissions.h 2006-05-07 00:14:13.000000000 -0400
@@ -935,4 +935,4 @@
#define PACKET__SEND 0x00000001UL
#define PACKET__RECV 0x00000002UL
-
+#define PACKET__RELABELTO 0x00000004UL
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/include/av_perm_to_string.h linux-2.6.17-rc3-git7.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-rc3-git7.p/security/selinux/include/av_perm_to_string.h 2006-05-03 11:34:17.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/include/av_perm_to_string.h 2006-05-07 00:14:34.000000000 -0400
@@ -241,3 +241,4 @@
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
S_(SECCLASS_PACKET, PACKET__SEND, "send")
S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+ S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
^ permalink raw reply
* [RFC][SECMARK 07/08] Add selinux_relabel_packet_permission() to SELinux API
From: James Morris @ 2006-05-07 15:39 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds a new function to the SELinux kernel API,
selinux_relabel_packet_permission(), which is to be invoked when labeling
packets via SECMARK.
The security policy must allow the specified label to be set by the
current task for the permission to be granted.
It is implicit that packets are being labeled from the default unlabeled
type.
Signed-off-by: James Morris <jmorris@namei.org>
---
include/linux/selinux.h | 16 ++++++++++++++++
security/selinux/exports.c | 11 +++++++++++
2 files changed, 27 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/include/linux/selinux.h linux-2.6.17-rc3-git7.w/include/linux/selinux.h
--- linux-2.6.17-rc3-git7.p/include/linux/selinux.h 2006-05-07 00:10:56.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/include/linux/selinux.h 2006-05-07 00:33:00.000000000 -0400
@@ -129,6 +129,17 @@ void selinux_get_task_sid(struct task_st
*/
int selinux_string_to_sid(char *str, u32 *sid);
+/**
+ * selinux_relabel_packet_permission - check permission to relabel a packet
+ * @sid: ID value to be applied to network packet (via SECMARK, most likely)
+ *
+ * Returns 0 if the current task is allowed to label packets with the
+ * supplied security ID. Note that it is implicit that the packet is always
+ * being relabeled from the default unlabled value, and that the access
+ * control decision is made in the AVC.
+ */
+int selinux_relabel_packet_permission(u32 sid);
+
#else
static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -188,6 +199,11 @@ static inline int selinux_string_to_sid(
return 0;
}
+static inline int selinux_relabel_packet_permission(u32 sid)
+{
+ return 0;
+}
+
#endif /* CONFIG_SECURITY_SELINUX */
#endif /* _LINUX_SELINUX_H */
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/security/selinux/exports.c linux-2.6.17-rc3-git7.w/security/selinux/exports.c
--- linux-2.6.17-rc3-git7.p/security/selinux/exports.c 2006-05-07 00:10:56.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/security/selinux/exports.c 2006-05-07 00:24:22.000000000 -0400
@@ -83,3 +83,14 @@ int selinux_string_to_sid(char *str, u32
}
EXPORT_SYMBOL_GPL(selinux_string_to_sid);
+int selinux_relabel_packet_permission(u32 sid)
+{
+ if (selinux_enabled) {
+ struct task_security_struct *tsec = current->security;
+
+ return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET,
+ PACKET__RELABELTO, NULL);
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);
^ permalink raw reply
* [RFC][SECMARK 08/08] Add selinux_relabel_packet_permission() check to xt_SECMARK
From: James Morris @ 2006-05-07 15:40 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds the selinux_relabel_packet_permission() check to the
SECMARK target, so that SELinux policy is consulted to ensure that the
labeling operation is permitted by the current task.
Signed-off-by: James Morris <jmorris@namei.org>
---
net/netfilter/xt_SECMARK.c | 6 ++++++
1 file changed, 6 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/net/netfilter/xt_SECMARK.c linux-2.6.17-rc3-git7.w/net/netfilter/xt_SECMARK.c
--- linux-2.6.17-rc3-git7.p/net/netfilter/xt_SECMARK.c 2006-05-03 11:34:12.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/net/netfilter/xt_SECMARK.c 2006-05-07 00:35:44.000000000 -0400
@@ -72,6 +72,12 @@ static int checkentry_selinux(struct xt_
return 0;
}
+ err = selinux_relabel_packet_permission(sel->selsid);
+ if (err) {
+ printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
+ return 0;
+ }
+
return 1;
}
^ permalink raw reply
* [RFC][SECMARK userland 01/03] Add libselinux support
From: James Morris @ 2006-05-07 15:42 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds the infrastructure for linking iptables against
libselinux, for use with the SECMARK target. This is enabled by setting
DO_SELINUX=1 in the build environment.
Signed-off-by: James Morris <jmorris@namei.org>
---
Makefile | 14 +++++++++++++-
Rules.make | 11 +++++++++--
extensions/Makefile | 15 ++++++++++++++-
3 files changed, 36 insertions(+), 4 deletions(-)
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile 2006-04-25 20:11:00.000000000 -0400
+++ iptables.w/extensions/Makefile 2006-04-25 20:10:43.000000000 -0400
@@ -8,6 +8,11 @@
PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
+ifeq ($(DO_SELINUX), 1)
+PF_EXT_SE_SLIB:=
+PF6_EXT_SE_SLIB:=
+endif
+
# Optionals
PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
@@ -43,26 +48,34 @@ OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT
ifndef NO_SHARED_LIBS
SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
+SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so)
EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
+EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
ifeq ($(DO_IPV6), 1)
SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
+SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so)
EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
+EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
endif
else # NO_SHARED_LIBS
EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o)
+EXT_OBJS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).o)
EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
+EXT_FUNC+=$(foreach T,$(PF_EXT_SE_SLIB),ipt_$(T))
EXT_OBJS+= extensions/initext.o
ifeq ($(DO_IPV6), 1)
EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o)
+EXT6_OBJS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).o)
EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T))
+EXT6_FUNC+=$(foreach T,$(PF6_EXT_SE_SLIB),ip6t_$(T))
EXT6_OBJS+= extensions/initext6.o
endif # DO_IPV6
endif # NO_SHARED_LIBS
ifndef TOPLEVEL_INCLUDED
local:
- cd .. && $(MAKE) $(SHARED_LIBS)
+ cd .. && $(MAKE) $(SHARED_LIBS) $(SHARED_SE_LIBS)
endif
ifdef NO_SHARED_LIBS
diff -purN -X dontdiff iptables.p/Makefile iptables.w/Makefile
--- iptables.p/Makefile 2006-04-25 20:11:00.000000000 -0400
+++ iptables.w/Makefile 2006-04-25 01:16:43.000000000 -0400
@@ -31,6 +31,11 @@ ifeq ($(shell [ -f /usr/include/netinet/
DO_IPV6:=1
endif
+# Enable linking to libselinux via enviornment 'DO_SELINUX=1'
+ifndef DO_SELINUX
+DO_SELINUX=0
+endif
+
COPT_FLAGS:=-O2
CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
@@ -93,17 +98,24 @@ endif
ifndef NO_SHARED_LIBS
DEPFILES = $(SHARED_LIBS:%.so=%.d)
+DEPFILES += $(SHARED_SE_LIBS:%.so=%.d)
SH_CFLAGS:=$(CFLAGS) -fPIC
STATIC_LIBS =
STATIC6_LIBS =
LDFLAGS = -rdynamic
LDLIBS = -ldl -lnsl
+ifeq ($(DO_SELINUX), 1)
+LDLIBS += -lselinux
+endif
else
DEPFILES = $(EXT_OBJS:%.o=%.d)
STATIC_LIBS = extensions/libext.a
STATIC6_LIBS = extensions/libext6.a
LDFLAGS = -static
-LDLIBS =
+LDLIBS =
+ifeq ($(DO_SELINUX), 1)
+LDLIBS += -lselinux
+endif
endif
.PHONY: default
diff -purN -X dontdiff iptables.p/Rules.make iptables.w/Rules.make
--- iptables.p/Rules.make 2006-04-25 20:11:00.000000000 -0400
+++ iptables.w/Rules.make 2006-04-25 01:16:43.000000000 -0400
@@ -1,12 +1,12 @@
#! /usr/bin/make
-all: $(SHARED_LIBS) $(EXTRAS)
+all: $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS)
experimental: $(EXTRAS_EXP)
# Have to handle extensions which no longer exist.
clean: $(EXTRA_CLEANS)
- rm -f $(SHARED_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o)
+ rm -f $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o) $(SHARED_SE_LIBS:%.so=%_sh.o)
rm -f extensions/initext.c extensions/initext6.c
@find . -name '*.[ao]' -o -name '*.so' | xargs rm -f
@@ -33,6 +33,13 @@ $(SHARED_LIBS:%.so=%.d): %.d: %.c
$(SHARED_LIBS): %.so : %_sh.o
$(LD) -shared $(EXT_LDFLAGS) -o $@ $<
+$(SHARED_SE_LIBS:%.so=%.d): %.d: %.c
+ @-$(CC) -M -MG $(CFLAGS) $< | \
+ sed -e 's@^.*\.o:@$*.d $*_sh.o:@' > $@
+
+$(SHARED_SE_LIBS): %.so : %_sh.o
+ $(LD) -shared $(EXT_LDFLAGS) -o $@ $< $(LDLIBS)
+
%_sh.o : %.c
$(CC) $(SH_CFLAGS) -o $@ -c $<
^ permalink raw reply
* [RFC][SECMARK userland 02/03] Add libipt_SECMARK
From: James Morris @ 2006-05-07 15:43 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds the shared library module for the SECMARK target (IPv4).
Signed-off-by: James Morris <jmorris@namei.org>
---
extensions/Makefile | 2
extensions/libipt_SECMARK.c | 125 ++++++++++++++++++++++++++++++++++++++++++
extensions/libipt_SECMARK.man | 7 ++
3 files changed, 133 insertions(+), 1 deletion(-)
diff -purN -X dontdiff iptables.p/extensions/libipt_SECMARK.c iptables.w/extensions/libipt_SECMARK.c
--- iptables.p/extensions/libipt_SECMARK.c 1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_SECMARK.c 2006-04-25 20:12:16.000000000 -0400
@@ -0,0 +1,125 @@
+/*
+ * Shared library add-on to iptables to add SECMARK target support.
+ *
+ * Based on the MARK target.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+#define PFX "SECMARK target: "
+
+static void help(void)
+{
+ printf(
+"SECMARK target v%s options:\n"
+" --selctx value Set the SELinux security context\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ { "selctx", 1, 0, '1' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void init(struct ipt_entry_target *t, unsigned int *nfcache)
+{ }
+
+/*
+ * Function which parses command options; returns true if it
+ * ate an option.
+ */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry, struct ipt_entry_target **target)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & SECMARK_MODE_SEL)
+ exit_error(PARAMETER_PROBLEM, PFX
+ "Can't specify --selctx twice");
+ info->mode = SECMARK_MODE_SEL;
+
+ if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+ exit_error(PARAMETER_PROBLEM, PFX
+ "Maximum length %u exceeded by --selctx"
+ " parameter (%zu)",
+ SECMARK_SELCTX_MAX-1, strlen(optarg));
+
+ strcpy(info->u.sel.selctx, optarg);
+ *flags |= SECMARK_MODE_SEL;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+}
+
+static void print_secmark(struct xt_secmark_target_info *info)
+{
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ printf("selctx %s ", info->u.sel.selctx);\
+ break;
+
+ default:
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
+static void print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target, int numeric)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(target)->data;
+
+ printf("SECMARK ");
+ print_secmark(info);
+}
+
+/* Saves the target info in parsable form to stdout. */
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)target->data;
+
+ printf("--");
+ print_secmark(info);
+}
+
+static struct iptables_target secmark = {
+ .next = NULL,
+ .name = "SECMARK",
+ .version = IPTABLES_VERSION,
+ .revision = 0,
+ .size = IPT_ALIGN(sizeof(struct xt_secmark_target_selinux_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_secmark_target_selinux_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_target(&secmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libipt_SECMARK.man iptables.w/extensions/libipt_SECMARK.man
--- iptables.p/extensions/libipt_SECMARK.man 1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_SECMARK.man 2006-04-25 20:12:16.000000000 -0400
@@ -0,0 +1,7 @@
+This is used to set the security mark value associated with the
+packet for use by security subsystems such as SELinux. It is only
+valid in the
+.B mangle
+table.
+.TP
+.BI "--selctx " "security_context"
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile 2006-04-25 20:12:07.000000000 -0400
+++ iptables.w/extensions/Makefile 2006-04-25 20:12:35.000000000 -0400
@@ -9,7 +9,7 @@ PF_EXT_SLIB:=ah addrtype comment connlim
PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
ifeq ($(DO_SELINUX), 1)
-PF_EXT_SE_SLIB:=
+PF_EXT_SE_SLIB:=SECMARK
PF6_EXT_SE_SLIB:=
endif
^ permalink raw reply
* [RFC][SECMARK userland 03/03] Add libip6t_SECMARK
From: James Morris @ 2006-05-07 15:44 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
This patch adds the shared library module for the SECMARK target (IPv6).
Signed-off-by: James Morris <jmorris@namei.org>
---
diff -purN -X dontdiff iptables.p/extensions/libip6t_SECMARK.c iptables.w/extensions/libip6t_SECMARK.c
--- iptables.p/extensions/libip6t_SECMARK.c 1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_SECMARK.c 2006-04-27 02:31:36.000000000 -0400
@@ -0,0 +1,125 @@
+/*
+ * Shared library add-on to iptables to add SECMARK target support.
+ *
+ * Based on the MARK target.
+ *
+ * IPv6 version.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ip6tables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+#define PFX "SECMARK target: "
+
+static void help(void)
+{
+ printf(
+"SECMARK target v%s options:\n"
+" --selctx value Set the SELinux security context\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+ { "selctx", 1, 0, '1' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void init(struct ip6t_entry_target *t, unsigned int *nfcache)
+{ }
+
+/*
+ * Function which parses command options; returns true if it
+ * ate an option.
+ */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ip6t_entry *entry, struct ip6t_entry_target **target)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & SECMARK_MODE_SEL)
+ exit_error(PARAMETER_PROBLEM, PFX
+ "Can't specify --selctx twice");
+ info->mode = SECMARK_MODE_SEL;
+
+ if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+ exit_error(PARAMETER_PROBLEM, PFX
+ "Maximum length %u exceeded by --selctx"
+ " parameter (%zu)",
+ SECMARK_SELCTX_MAX-1, strlen(optarg));
+
+ strcpy(info->u.sel.selctx, optarg);
+ *flags |= SECMARK_MODE_SEL;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+}
+
+static void print_secmark(struct xt_secmark_target_info *info)
+{
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ printf("selctx %s ", info->u.sel.selctx);\
+ break;
+
+ default:
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
+static void print(const struct ip6t_ip6 *ip,
+ const struct ip6t_entry_target *target, int numeric)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)(target)->data;
+
+ printf("SECMARK ");
+ print_secmark(info);
+}
+
+/* Saves the target info in parsable form to stdout. */
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
+{
+ struct xt_secmark_target_info *info =
+ (struct xt_secmark_target_info*)target->data;
+
+ printf("--");
+ print_secmark(info);
+}
+
+static struct ip6tables_target secmark = {
+ .name = "SECMARK",
+ .version = IPTABLES_VERSION,
+ .size = IP6T_ALIGN(sizeof(struct xt_secmark_target_selinux_info)),
+ .userspacesize = IP6T_ALIGN(sizeof(struct xt_secmark_target_selinux_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_target6(&secmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libip6t_SECMARK.man iptables.w/extensions/libip6t_SECMARK.man
--- iptables.p/extensions/libip6t_SECMARK.man 1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_SECMARK.man 2006-04-27 02:23:09.000000000 -0400
@@ -0,0 +1,7 @@
+This is used to set the security mark value associated with the
+packet for use by security subsystems such as SELinux. It is only
+valid in the
+.B mangle
+table.
+.TP
+.BI "--selctx " "security_context"
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile 2006-04-27 02:22:22.000000000 -0400
+++ iptables.w/extensions/Makefile 2006-04-27 02:25:34.000000000 -0400
@@ -10,7 +10,7 @@ PF6_EXT_SLIB:=connmark eui64 hl icmp6 le
ifeq ($(DO_SELINUX), 1)
PF_EXT_SE_SLIB:=SECMARK
-PF6_EXT_SE_SLIB:=
+PF6_EXT_SE_SLIB:=SECMARK
endif
# Optionals
^ permalink raw reply
* Re: [RFC] SECMARK 1.0
From: Joshua Brindle @ 2006-05-07 17:04 UTC (permalink / raw)
To: James Morris
Cc: selinux, netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
James Morris wrote:
> For example, SELinux will now be able to utilize connection tracking, so
> that only packets which are known to be valid for a specific connection
> will be allowed to reach the subject.
>
> Sample iptables rules for labeling packets are at:
> http://people.redhat.com/jmorris/selinux/secmark/rules/
>
> And examples of new policy controls may be found here:
> http://people.redhat.com/jmorris/selinux/secmark/policy/
>
It looks like you are labeling all packets on an established connection
as tracked_packet_t. What is the rationale for not labeling all ftp
traffic as ftpd_packet_t? Granted that its very unlikely for established
connections to go to the wrong process but the SELinux policy should be
able to clearly show that ftpd and sshd cannot see each others packets
but these policies say that they can both send/receive tracked_packet_t.
Obviously these are just examples, I'm just curious if there was a
reason to label established packets differently from the new connection
packets (and the same as all the other established packets)
I imagine that, at least at first, it would be good to have allow domain
unlabeled_t:packet { send recv }; in an (enabled) conditional so that
the migration will be easier.
Also, we need to come up with a mechanism for distributing default
marking rules that can accompany a policy. The rules could go into a
section in the .pp file but how does that integrate with various
firewall systems that take control of the iptables rules?
And finally, what happens if the labeling rule changes during an
established connection? Do the packets related to that connection retain
the original label or will they get the new label?
Thanks, this will be very beneficial to the SELinux community
^ permalink raw reply
* Re: [RFC] SECMARK 1.0
From: James Morris @ 2006-05-07 17:43 UTC (permalink / raw)
To: Joshua Brindle
Cc: selinux, netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <445E288B.4040908@gentoo.org>
On Sun, 7 May 2006, Joshua Brindle wrote:
> It looks like you are labeling all packets on an established connection as
> tracked_packet_t. What is the rationale for not labeling all ftp traffic as
> ftpd_packet_t? Granted that its very unlikely for established connections to
> go to the wrong process but the SELinux policy should be able to clearly show
> that ftpd and sshd cannot see each others packets but these policies say that
> they can both send/receive tracked_packet_t.
Yes. This is due to the way connection tracking works, there's no
indication of which connection the packet belongs to, just its state. We
depend on conntrack to correctly determine the state of the packet,
anyway, and we don't have real IP security without something like IPsec.
SELinux policy analysis will need to work on the assumption that conntrack
is working correctly, and that a packet which is a valid part of an ftp
connection won't end up delivering data to sshd.
We could look at something similar to the CONNMARK target, where
connections are labeled, but it's very ugly and really not useful, as we
assume that conntrack is working correctly.
You can always not use conntrack and emulate the existing controls, as
well.
> Obviously these are just examples, I'm just curious if there was a reason to
> label established packets differently from the new connection packets (and the
> same as all the other established packets)
The label for the new connection packet is essential for ensuring that the
connection being created is the right type. We know that if a valid SYN
arrives on port 22, that this is an attempt to establish a connection with
sshd (assuming it's configured to listen on port 22). Then, conntrack
observes the TCP handshake, and creates connection state if successful.
Also, we only want sshd to receive new connections here, not create them.
> I imagine that, at least at first, it would be good to have allow domain
> unlabeled_t:packet { send recv }; in an (enabled) conditional so that the
> migration will be easier.
See
http://people.redhat.com/jmorris/selinux/secmark/policy/packettest/packettest.te
# Totally insecure, for testing.
#
# Allow all unlabled packets to all domains.
#
allow domain unlabeled_t:packet { send recv };
As the policy is generated by macros, it should be very simple to change
just a few of the macros to generate compatible policy rules for the new
controls.
> Also, we need to come up with a mechanism for distributing default marking
> rules that can accompany a policy. The rules could go into a section in the
> .pp file but how does that integrate with various firewall systems that take
> control of the iptables rules?
I believe the way to handle this is to create SELinux input and output
chains and then add all of the SELinux labeling rules via them, so the
SELinux rules are at least partitioned off, and these tools will be able
to treat them opaquely. Have a look at the example rulesets I posted on
the web site.
> And finally, what happens if the labeling rule changes during an established
> connection? Do the packets related to that connection retain the original
> label or will they get the new label?
It depends on which rule is changed. If it's for a NEW connection, only
packets hitting that will get the new label. For ESTABLISHED & RELATED,
all packets on those rules will get the new label once the rule is
updated.
> Thanks, this will be very beneficial to the SELinux community
I hope so, the SELinux policy should be pretty simple, and the iptables
rules perhaps not so much, but they'll be generated by macros.
I've also seen some interesting performance improvements (especially if
conntrack is not loaded), although we won't really know the overall
picture until all of the current policy is converted over. Then it'll be
a case of how well iptables performs with lots of rules and chains.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply
* Re: [RFC] SECMARK 1.0
From: James Morris @ 2006-05-07 17:44 UTC (permalink / raw)
To: selinux; +Cc: netdev, netfilter-devel, Stephen Smalley, Daniel J Walsh
In-Reply-To: <Pine.LNX.4.64.0605071104590.8588@d.namei>
(note: an old, incorrect address for netfilter-devel was used in the
initial mail, please update to the correct one as above if replying to
this thread).
--
James Morris
<jmorris@namei.org>
^ permalink raw reply
* Re: [PATCH] phy: new SMSC LAN83C185 PHY driver
From: Francois Romieu @ 2006-05-07 18:56 UTC (permalink / raw)
To: Herbert Valerio Riedel; +Cc: afleming, netdev
In-Reply-To: <E1Fcj4p-00061b-3o@fencepost.gnu.org>
> diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
> new file mode 100644
> index 0000000..b96eb52
> --- /dev/null
> +++ b/drivers/net/phy/smsc.c
[...]
> +/* prototypes */
> +static int lan83c185_config_init(struct phy_device *);
> +static int lan83c185_config_intr(struct phy_device *);
> +static int lan83c185_ack_interrupt(struct phy_device *);
The forward declarations are useless.
> +static int lan83c185_config_init(struct phy_device *phydev)
> +{
> + pr_debug ("%s: config_init\n", phydev->attached_dev->name);
drivers/net/phy/*c does not use space before brace when functions
are called.
[...]
> +static struct phy_driver lan83c185_driver = {
> + .phy_id = 0x0007c0a0, /* OUI=0x00800f, Model#=0x0a */
> + .phy_id_mask = 0xfffffff0,
> + .name = "SMSC LAN83C185",
> +
> + .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause
> + | SUPPORTED_Asym_Pause),
> + .flags = PHY_HAS_INTERRUPT | PHY_HAS_MAGICANEG,
> +
> + /* basic functions */
> + .config_aneg = genphy_config_aneg,
> + .read_status = genphy_read_status,
> + .config_init = lan83c185_config_init,
> +
> + /* IRQ related */
> + .ack_interrupt = lan83c185_ack_interrupt,
> + .config_intr = lan83c185_config_intr,
Whitespace/tab damage.
[...]
> +static int __init smsc_init(void)
> +{
> + int rc;
> +
> + if ((rc = phy_driver_register (&lan83c185_driver)))
> + goto err_register_lan83c185_driver;
> +
> + return 0;
> +
> + /* phy_driver_unregister (&lan83c185_driver); */
> + err_register_lan83c185_driver:
Wow. :o)
What about:
static int __init smsc_init(void)
{
return phy_driver_register(&lan83c185_driver);
}
> +/*
> + * Overrides for Emacs so that we follow Linus's tabbing style.
> + * Emacs will notice this stuff at the end of the file and automatically
> + * adjust the settings for this buffer only. This must remain at the end
> + * of the file.
> + * ---------------------------------------------------------------------------
> + * Local variables:
> + * c-file-style: "linux"
> + * End:
> + */
Bloat. Where files in drivers/net include similar stuff, the lengthy
explanation was removed.
The pr_debug statements ought to go imvho.
The patch contains a few tabs/whitespace at end of lines.
--
Ueimor
^ permalink raw reply
* [PATCH] phy: new SMSC LAN83C185 PHY driver
From: Herbert Valerio Riedel @ 2006-05-07 21:27 UTC (permalink / raw)
To: Francois Romieu; +Cc: afleming, netdev
new SMSC LAN83C185 10BaseT/100BaseTX PHY driver for the PHY subsystem
Signed-off-by: Herbert Valerio Riedel <hvr@gnu.org>
---
2nd attempt
drivers/net/phy/Kconfig | 6 +++
drivers/net/phy/Makefile | 1
drivers/net/phy/smsc.c | 101 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 108 insertions(+), 0 deletions(-)
create mode 100644 drivers/net/phy/smsc.c
fcd93884d904a36293d80af6841fde4dc3b8eca8
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index fa39b94..cda3e53 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -45,5 +45,11 @@ config CICADA_PHY
---help---
Currently supports the cis8204
+config SMSC_PHY
+ tristate "Drivers for SMSC PHYs"
+ depends on PHYLIB
+ ---help---
+ Currently supports the LAN83C185 PHY
+
endmenu
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index e4116a5..d961413 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -8,3 +8,4 @@ obj-$(CONFIG_DAVICOM_PHY) += davicom.o
obj-$(CONFIG_CICADA_PHY) += cicada.o
obj-$(CONFIG_LXT_PHY) += lxt.o
obj-$(CONFIG_QSEMI_PHY) += qsemi.o
+obj-$(CONFIG_SMSC_PHY) += smsc.o
diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
new file mode 100644
index 0000000..25e31fb
--- /dev/null
+++ b/drivers/net/phy/smsc.c
@@ -0,0 +1,101 @@
+/*
+ * drivers/net/phy/smsc.c
+ *
+ * Driver for SMSC PHYs
+ *
+ * Author: Herbert Valerio Riedel
+ *
+ * Copyright (c) 2006 Herbert Valerio Riedel <hvr@gnu.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ */
+
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/mii.h>
+#include <linux/ethtool.h>
+#include <linux/phy.h>
+#include <linux/netdevice.h>
+
+#define MII_LAN83C185_ISF 29 /* Interrupt Source Flags */
+#define MII_LAN83C185_IM 30 /* Interrupt Mask */
+
+#define MII_LAN83C185_ISF_INT1 (1<<1) /* Auto-Negotiation Page Received */
+#define MII_LAN83C185_ISF_INT2 (1<<2) /* Parallel Detection Fault */
+#define MII_LAN83C185_ISF_INT3 (1<<3) /* Auto-Negotiation LP Ack */
+#define MII_LAN83C185_ISF_INT4 (1<<4) /* Link Down */
+#define MII_LAN83C185_ISF_INT5 (1<<5) /* Remote Fault Detected */
+#define MII_LAN83C185_ISF_INT6 (1<<6) /* Auto-Negotiation complete */
+#define MII_LAN83C185_ISF_INT7 (1<<7) /* ENERGYON */
+
+#define MII_LAN83C185_ISF_INT_ALL (0x0e)
+
+#define MII_LAN83C185_ISF_INT_PHYLIB_EVENTS \
+ (MII_LAN83C185_ISF_INT6 | MII_LAN83C185_ISF_INT4)
+
+
+static int lan83c185_config_intr(struct phy_device *phydev)
+{
+ int rc = phy_write (phydev, MII_LAN83C185_IM,
+ ((PHY_INTERRUPT_ENABLED == phydev->interrupts)
+ ? MII_LAN83C185_ISF_INT_PHYLIB_EVENTS
+ : 0));
+
+ return rc < 0 ? rc : 0;
+}
+
+static int lan83c185_ack_interrupt(struct phy_device *phydev)
+{
+ int rc = phy_read (phydev, MII_LAN83C185_ISF);
+
+ return rc < 0 ? rc : 0;
+}
+
+static int lan83c185_config_init(struct phy_device *phydev)
+{
+ return lan83c185_ack_interrupt (phydev);
+}
+
+
+static struct phy_driver lan83c185_driver = {
+ .phy_id = 0x0007c0a0, /* OUI=0x00800f, Model#=0x0a */
+ .phy_id_mask = 0xfffffff0,
+ .name = "SMSC LAN83C185",
+
+ .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause
+ | SUPPORTED_Asym_Pause),
+ .flags = PHY_HAS_INTERRUPT | PHY_HAS_MAGICANEG,
+
+ /* basic functions */
+ .config_aneg = genphy_config_aneg,
+ .read_status = genphy_read_status,
+ .config_init = lan83c185_config_init,
+
+ /* IRQ related */
+ .ack_interrupt = lan83c185_ack_interrupt,
+ .config_intr = lan83c185_config_intr,
+
+ .driver = { .owner = THIS_MODULE, }
+};
+
+static int __init smsc_init(void)
+{
+ return phy_driver_register (&lan83c185_driver);
+}
+
+static void __exit smsc_exit(void)
+{
+ phy_driver_unregister (&lan83c185_driver);
+}
+
+MODULE_DESCRIPTION("SMSC PHY driver");
+MODULE_AUTHOR("Herbert Valerio Riedel");
+MODULE_LICENSE("GPL");
+
+module_init(smsc_init);
+module_exit(smsc_exit);
--
1.2.6
^ permalink raw reply related
* Re: [PATCH] phy: new SMSC LAN83C185 PHY driver
From: Francois Romieu @ 2006-05-08 0:01 UTC (permalink / raw)
To: Herbert Valerio Riedel; +Cc: afleming, netdev
In-Reply-To: <E1FcqmN-0003ZV-FB@fencepost.gnu.org>
Herbert Valerio Riedel <hvr@gnu.org> :
> new SMSC LAN83C185 10BaseT/100BaseTX PHY driver for the PHY subsystem
>
> Signed-off-by: Herbert Valerio Riedel <hvr@gnu.org>
Fine-with-me: Francois Romieu <romieu@fr.zoreil.com>
--
Ueimor
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox