• etienne's avatar
    smack: fixes for unlabeled host support · 211a40c0
    etienne authored
    The following patch (against 2.6.29rc5) fixes a few issues in the
    smack/netlabel "unlabeled host support" functionnality that was added in
    2.6.29rc.  It should go in before -final.
    1) smack_host_label disregard a " @" rule (or other label),
    preventing 'tagged' tasks to access Internet (many systems drop packets with
    IP options)
    2) netmasks were not handled correctly, they were stored in a way _not
    equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
    /32 masks but not other masks)
    3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
    done), so there could have been different list entries for the same IP
    prefix; if those entries had different labels, well ...
    4) they were not sorted
    1) 2) 3) are bugs, 4) is a more cosmetic issue.
    The patch :
    -creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
    -sorted by netmask length
    -use the new sorted nature of  smack_netlbladdrs list to simplify
     smack_host_label : the first match _will_ be the more specific
    -corrects endianness issues in smk_write_netlbladdr &  netlbladdr_seq_show
    Signed-off-by: <etienne.basset@numericable.fr>
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Reviewed-by: default avatarPaul Moore <paul.moore@hp.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Last commit
Last update
keys Loading commit data...
selinux Loading commit data...
smack Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
capability.c Loading commit data...
commoncap.c Loading commit data...
device_cgroup.c Loading commit data...
inode.c Loading commit data...
root_plug.c Loading commit data...
security.c Loading commit data...