/*
 * AppArmor security module
 *
 * This file contains AppArmor capability mediation functions
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/gfp.h>

#include "include/apparmor.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/policy.h"
#include "include/audit.h"

/*
 * Table of capability names: we generate it from capabilities.h.
 */
#include "capability_names.h"

struct aa_fs_entry aa_fs_entry_caps[] = {
	AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK),
	{ }
};

struct audit_cache {
	struct aa_profile *profile;
	kernel_cap_t caps;
};

static DEFINE_PER_CPU(struct audit_cache, audit_cache);

/**
 * audit_cb - call back for capability components of audit struct
 * @ab - audit buffer   (NOT NULL)
 * @va - audit struct to audit data from  (NOT NULL)
 */
static void audit_cb(struct audit_buffer *ab, void *va)
{
	struct common_audit_data *sa = va;
	audit_log_format(ab, " capname=");
	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
}

/**
 * audit_caps - audit a capability
 * @profile: profile being tested for confinement (NOT NULL)
 * @cap: capability tested
 * @error: error code returned by test
 *
 * Do auditing of capability and handle, audit/complain/kill modes switching
 * and duplicate message elimination.
 *
 * Returns: 0 or sa->error on success,  error code on failure
 */
static int audit_caps(struct aa_profile *profile, int cap, int error)
{
	struct audit_cache *ent;
	int type = AUDIT_APPARMOR_AUTO;
	struct common_audit_data sa;
	struct apparmor_audit_data aad = {0,};
	sa.type = LSM_AUDIT_DATA_CAP;
	sa.aad = &aad;
	sa.u.cap = cap;
	sa.aad->op = OP_CAPABLE;
	sa.aad->error = error;

	if (likely(!error)) {
		/* test if auditing is being forced */
		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
			   !cap_raised(profile->caps.audit, cap)))
			return 0;
		type = AUDIT_APPARMOR_AUDIT;
	} else if (KILL_MODE(profile) ||
		   cap_raised(profile->caps.kill, cap)) {
		type = AUDIT_APPARMOR_KILL;
	} else if (cap_raised(profile->caps.quiet, cap) &&
		   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
		   AUDIT_MODE(profile) != AUDIT_ALL) {
		/* quiet auditing */
		return error;
	}

	/* Do simple duplicate message elimination */
	ent = &get_cpu_var(audit_cache);
	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
		put_cpu_var(audit_cache);
		if (COMPLAIN_MODE(profile))
			return complain_error(error);
		return error;
	} else {
		aa_put_profile(ent->profile);
		ent->profile = aa_get_profile(profile);
		cap_raise(ent->caps, cap);
	}
	put_cpu_var(audit_cache);

	return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
}

/**
 * profile_capable - test if profile allows use of capability @cap
 * @profile: profile being enforced    (NOT NULL, NOT unconfined)
 * @cap: capability to test if allowed
 *
 * Returns: 0 if allowed else -EPERM
 */
static int profile_capable(struct aa_profile *profile, int cap)
{
	return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;
}

/**
 * aa_capable - test permission to use capability
 * @profile: profile being tested against (NOT NULL)
 * @cap: capability to be tested
 * @audit: whether an audit record should be generated
 *
 * Look up capability in profile capability set.
 *
 * Returns: 0 on success, or else an error code.
 */
int aa_capable(struct aa_profile *profile, int cap, int audit)
{
	int error = profile_capable(profile, cap);

	if (!audit) {
		if (COMPLAIN_MODE(profile))
			return complain_error(error);
		return error;
	}

	return audit_caps(profile, cap, error);
}
ing conntrack entry already exists, where the original
direction of the existing connection is opposed to the new
connection's initial packet.

Most importantly, conntrack state relating to the current packet gets
the "reply" designation based on whether the original direction tuple
or the reply direction tuple matched.  If this "directionality" is
wrong w.r.t. to the stateful network admission policy it may happen
that packets in neither direction are correctly admitted.

This patch adds a new "force commit" option to the OVS conntrack
action that checks the original direction of an existing conntrack
entry.  If that direction is opposed to the current packet, the
existing conntrack entry is deleted and a new one is subsequently
created in the correct direction.

Signed-off-by: Jarno Rajahalme &lt;jarno@ovn.org&gt;
Acked-by: Pravin B Shelar &lt;pshelar@ovn.org&gt;
Acked-by: Joe Stringer &lt;joe@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 22:59:34 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc'>openvswitch: Add original direction conntrack tuple to sw_flow_key.</a></td><td>Jarno Rajahalme</td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+19</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
Add the fields of the conntrack original direction 5-tuple to struct
sw_flow_key.  The new fields are initially marked as non-existent, and
are populated whenever a conntrack action is executed and either finds
or generates a conntrack entry.  This means that these fields exist
for all packets that were not rejected by conntrack as untrackable.

The original tuple fields in the sw_flow_key are filled from the
original direction tuple of the conntrack entry relating to the
current packet, or from the original direction tuple of the master
conntrack entry, if the current conntrack entry has a master.
Generally, expected connections of connections having an assigned
helper (e.g., FTP), have a master conntrack entry.

The main purpose of the new conntrack original tuple fields is to
allow matching on them for policy decision purposes, with the premise
that the admissibility of tracked connections reply packets (as well
as original direction packets), and both direction packets of any
related connections may be based on ACL rules applying to the master
connection's original direction 5-tuple.  This also makes it easier to
make policy decisions when the actual packet headers might have been
transformed by NAT, as the original direction 5-tuple represents the
packet headers before any such transformation.

When using the original direction 5-tuple the admissibility of return
and/or related packets need not be based on the mere existence of a
conntrack entry, allowing separation of admission policy from the
established conntrack state.  While existence of a conntrack entry is
required for admission of the return or related packets, policy
changes can render connections that were initially admitted to be
rejected or dropped afterwards.  If the admission of the return and
related packets was based on mere conntrack state (e.g., connection
being in an established state), a policy change that would make the
connection rejected or dropped would need to find and delete all
conntrack entries affected by such a change.  When using the original
direction 5-tuple matching the affected conntrack entries can be
allowed to time out instead, as the established state of the
connection would not need to be the basis for packet admission any
more.

It should be noted that the directionality of related connections may
be the same or different than that of the master connection, and
neither the original direction 5-tuple nor the conntrack state bits
carry this information.  If needed, the directionality of the master
connection can be stored in master's conntrack mark or labels, which
are automatically inherited by the expected related connections.

The fact that neither ARP nor ND packets are trackable by conntrack
allows mutual exclusion between ARP/ND and the new conntrack original
tuple fields.  Hence, the IP addresses are overlaid in union with ARP
and ND fields.  This allows the sw_flow_key to not grow much due to
this patch, but it also means that we must be careful to never use the
new key fields with ARP or ND packets.  ARP is easy to distinguish and
keep mutually exclusive based on the ethernet type, but ND being an
ICMPv6 protocol requires a bit more attention.

Signed-off-by: Jarno Rajahalme &lt;jarno@ovn.org&gt;
Acked-by: Joe Stringer &lt;joe@ovn.org&gt;
Acked-by: Pravin B Shelar &lt;pshelar@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 22:59:34 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=cb80d58fae76d8ea93555149b2b16e19b89a1f4f'>openvswitch: Unionize ovs_key_ct_label with a u32 array.</a></td><td>Jarno Rajahalme</td><td>1</td><td><span class='deletions'>-2</span>/<span class='insertions'>+6</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
Make the array of labels in struct ovs_key_ct_label an union, adding a
u32 array of the same byte size as the existing u8 array.  It is
faster to loop through the labels 32 bits at the time, which is also
the alignment of netlink attributes.

Signed-off-by: Jarno Rajahalme &lt;jarno@ovn.org&gt;
Acked-by: Joe Stringer &lt;joe@ovn.org&gt;
Acked-by: Pravin B Shelar &lt;pshelar@ovn.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=242bd2d519d7194633e309286ba7ba29a1ad63e8'>sctp: implement sender-side procedures for Add Incoming/Outgoing Streams ↵</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+9</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
Request Parameter

This patch is to implement Sender-Side Procedures for the Add
Outgoing and Incoming Streams Request Parameter described in
rfc6525 section 5.1.5-5.1.6.

It is also to add sockopt SCTP_ADD_STREAMS in rfc6525 section
6.3.4 for users.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=78098117f8bfad4f2104c3f7b6b69071af95a246'>sctp: add support for generating stream reconf add incoming/outgoing streams ↵</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+10</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
request chunk

This patch is to define Add Incoming/Outgoing Streams Request
Parameter described in rfc6525 section 4.5 and 4.6. They can
be in one same chunk trunk as rfc6525 section 3.1-7 describes,
so make them in one function.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=a92ce1a42dde1caaee4afae67531e3e7acecf6e4'>sctp: implement sender-side procedures for SSN/TSN Reset Request Parameter</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+2</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
This patch is to implement Sender-Side Procedures for the SSN/TSN
Reset Request Parameter descibed in rfc6525 section 5.1.4.

It is also to add sockopt SCTP_RESET_ASSOC in rfc6525 section 6.3.3
for users.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=c56480a1e90261842f54f3a5a9ebc12d827f0c3e'>sctp: add support for generating stream reconf ssn/tsn reset request chunk</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+7</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
This patch is to define SSN/TSN Reset Request Parameter described
in rfc6525 section 4.3.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=9faf1c0fd5a943e498dbc0c86ff42e965b347d08'>sctp: drop unnecessary __packed from some stream reconf structures</a></td><td>Xin Long</td><td>1</td><td><span class='deletions'>-3</span>/<span class='insertions'>+3</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
commit 85c727b59483 ("sctp: drop __packed from almost all SCTP structures")
has removed __packed from almost all SCTP structures. But there still are
three structures where it should be dropped.

This patch is to remove it from some stream reconf structures.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-08 15:25:18 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=982acb97560c8118c2109504a22b0d78a580547d'>ipv4: fib: Notify about nexthop status changes</a></td><td>Ido Schimmel</td><td>1</td><td><span class='deletions'>-0</span>/<span class='insertions'>+7</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
When a multipath route is hit the kernel doesn't consider nexthops that
are DEAD or LINKDOWN when IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN is set.
Devices that offload multipath routes need to be made aware of nexthop
status changes. Otherwise, the device will keep forwarding packets to
non-functional nexthops.

Add the FIB_EVENT_NH_{ADD,DEL} events to the fib notification chain,
which notify capable devices when they should add or delete a nexthop
from their tables.

Cc: Roopa Prabhu &lt;roopa@cumulusnetworks.com&gt;
Cc: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Cc: Andy Gospodarek &lt;andy@greyhouse.net&gt;
Signed-off-by: Ido Schimmel &lt;idosch@mellanox.com&gt;
Signed-off-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Reviewed-by: Andy Gospodarek &lt;gospo@broadcom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-08 15:11:22 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=6a2cac549b368960c9cd6a993f2f2cc6d720e935'>net: stmmac: Remove the bus_setup function pointer</a></td><td>LABBE Corentin</td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+0</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
The bus_setup function pointer is not used at all, this patch remove it.

Signed-off-by: Corentin Labbe &lt;clabbe.montjoie@gmail.com&gt;
Acked-by: Giuseppe Cavallaro &lt;peppe.cavallaro@st.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-08 14:38:18 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=97e219b7c1f75b14b29abe28ad53e8709e8d15e5'>gro_cells: move to net/core/gro_cells.c</a></td><td>Eric Dumazet</td><td>1</td><td><span class='deletions'>-82</span>/<span class='insertions'>+4</span></td></tr>
<tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'>
We have many gro cells users, so lets move the code to avoid
duplication.

This creates a CONFIG_GRO_CELLS option.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;


</td></tr>
<tr class='logheader'><td><span title='2017-02-08 13:29:04 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=04d8a0a5f3b6887543850d991a5e37c4ec90e250'>net: phy: Add LED mode driver for Microsemi PHYs.</a></td><td>Raju Lakkaraju