/* * AppArmor security module * * This file contains AppArmor capability mediation functions * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2010 Canonical Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2 of the * License. */ #include <linux/capability.h> #include <linux/errno.h> #include <linux/gfp.h> #include "include/apparmor.h" #include "include/capability.h" #include "include/context.h" #include "include/policy.h" #include "include/audit.h" /* * Table of capability names: we generate it from capabilities.h. */ #include "capability_names.h" struct aa_fs_entry aa_fs_entry_caps[] = { AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK), { } }; struct audit_cache { struct aa_profile *profile; kernel_cap_t caps; }; static DEFINE_PER_CPU(struct audit_cache, audit_cache); /** * audit_cb - call back for capability components of audit struct * @ab - audit buffer (NOT NULL) * @va - audit struct to audit data from (NOT NULL) */ static void audit_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; audit_log_format(ab, " capname="); audit_log_untrustedstring(ab, capability_names[sa->u.cap]); } /** * audit_caps - audit a capability * @profile: profile being tested for confinement (NOT NULL) * @cap: capability tested * @error: error code returned by test * * Do auditing of capability and handle, audit/complain/kill modes switching * and duplicate message elimination. * * Returns: 0 or sa->error on success, error code on failure */ static int audit_caps(struct aa_profile *profile, int cap, int error) { struct audit_cache *ent; int type = AUDIT_APPARMOR_AUTO; struct common_audit_data sa; struct apparmor_audit_data aad = {0,}; sa.type = LSM_AUDIT_DATA_CAP; sa.aad = &aad; sa.u.cap = cap; sa.aad->op = OP_CAPABLE; sa.aad->error = error; if (likely(!error)) { /* test if auditing is being forced */ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && !cap_raised(profile->caps.audit, cap))) return 0; type = AUDIT_APPARMOR_AUDIT; } else if (KILL_MODE(profile) || cap_raised(profile->caps.kill, cap)) { type = AUDIT_APPARMOR_KILL; } else if (cap_raised(profile->caps.quiet, cap) && AUDIT_MODE(profile) != AUDIT_NOQUIET && AUDIT_MODE(profile) != AUDIT_ALL) { /* quiet auditing */ return error; } /* Do simple duplicate message elimination */ ent = &get_cpu_var(audit_cache); if (profile == ent->profile && cap_raised(ent->caps, cap)) { put_cpu_var(audit_cache); if (COMPLAIN_MODE(profile)) return complain_error(error); return error; } else { aa_put_profile(ent->profile); ent->profile = aa_get_profile(profile); cap_raise(ent->caps, cap); } put_cpu_var(audit_cache); return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb); } /** * profile_capable - test if profile allows use of capability @cap * @profile: profile being enforced (NOT NULL, NOT unconfined) * @cap: capability to test if allowed * * Returns: 0 if allowed else -EPERM */ static int profile_capable(struct aa_profile *profile, int cap) { return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM; } /** * aa_capable - test permission to use capability * @profile: profile being tested against (NOT NULL) * @cap: capability to be tested * @audit: whether an audit record should be generated * * Look up capability in profile capability set. * * Returns: 0 on success, or else an error code. */ int aa_capable(struct aa_profile *profile, int cap, int audit) { int error = profile_capable(profile, cap); if (!audit) { if (COMPLAIN_MODE(profile)) return complain_error(error); return error; } return audit_caps(profile, cap, error); } ing conntrack entry already exists, where the original direction of the existing connection is opposed to the new connection's initial packet. Most importantly, conntrack state relating to the current packet gets the "reply" designation based on whether the original direction tuple or the reply direction tuple matched. If this "directionality" is wrong w.r.t. to the stateful network admission policy it may happen that packets in neither direction are correctly admitted. This patch adds a new "force commit" option to the OVS conntrack action that checks the original direction of an existing conntrack entry. If that direction is opposed to the current packet, the existing conntrack entry is deleted and a new one is subsequently created in the correct direction. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 22:59:34 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc'>openvswitch: Add original direction conntrack tuple to sw_flow_key.</a></td><td>Jarno Rajahalme</td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+19</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> Add the fields of the conntrack original direction 5-tuple to struct sw_flow_key. The new fields are initially marked as non-existent, and are populated whenever a conntrack action is executed and either finds or generates a conntrack entry. This means that these fields exist for all packets that were not rejected by conntrack as untrackable. The original tuple fields in the sw_flow_key are filled from the original direction tuple of the conntrack entry relating to the current packet, or from the original direction tuple of the master conntrack entry, if the current conntrack entry has a master. Generally, expected connections of connections having an assigned helper (e.g., FTP), have a master conntrack entry. The main purpose of the new conntrack original tuple fields is to allow matching on them for policy decision purposes, with the premise that the admissibility of tracked connections reply packets (as well as original direction packets), and both direction packets of any related connections may be based on ACL rules applying to the master connection's original direction 5-tuple. This also makes it easier to make policy decisions when the actual packet headers might have been transformed by NAT, as the original direction 5-tuple represents the packet headers before any such transformation. When using the original direction 5-tuple the admissibility of return and/or related packets need not be based on the mere existence of a conntrack entry, allowing separation of admission policy from the established conntrack state. While existence of a conntrack entry is required for admission of the return or related packets, policy changes can render connections that were initially admitted to be rejected or dropped afterwards. If the admission of the return and related packets was based on mere conntrack state (e.g., connection being in an established state), a policy change that would make the connection rejected or dropped would need to find and delete all conntrack entries affected by such a change. When using the original direction 5-tuple matching the affected conntrack entries can be allowed to time out instead, as the established state of the connection would not need to be the basis for packet admission any more. It should be noted that the directionality of related connections may be the same or different than that of the master connection, and neither the original direction 5-tuple nor the conntrack state bits carry this information. If needed, the directionality of the master connection can be stored in master's conntrack mark or labels, which are automatically inherited by the expected related connections. The fact that neither ARP nor ND packets are trackable by conntrack allows mutual exclusion between ARP/ND and the new conntrack original tuple fields. Hence, the IP addresses are overlaid in union with ARP and ND fields. This allows the sw_flow_key to not grow much due to this patch, but it also means that we must be careful to never use the new key fields with ARP or ND packets. ARP is easy to distinguish and keep mutually exclusive based on the ethernet type, but ND being an ICMPv6 protocol requires a bit more attention. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 22:59:34 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=cb80d58fae76d8ea93555149b2b16e19b89a1f4f'>openvswitch: Unionize ovs_key_ct_label with a u32 array.</a></td><td>Jarno Rajahalme</td><td>1</td><td><span class='deletions'>-2</span>/<span class='insertions'>+6</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> Make the array of labels in struct ovs_key_ct_label an union, adding a u32 array of the same byte size as the existing u8 array. It is faster to loop through the labels 32 bits at the time, which is also the alignment of netlink attributes. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=242bd2d519d7194633e309286ba7ba29a1ad63e8'>sctp: implement sender-side procedures for Add Incoming/Outgoing Streams ↵</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+9</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> Request Parameter This patch is to implement Sender-Side Procedures for the Add Outgoing and Incoming Streams Request Parameter described in rfc6525 section 5.1.5-5.1.6. It is also to add sockopt SCTP_ADD_STREAMS in rfc6525 section 6.3.4 for users. Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=78098117f8bfad4f2104c3f7b6b69071af95a246'>sctp: add support for generating stream reconf add incoming/outgoing streams ↵</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+10</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> request chunk This patch is to define Add Incoming/Outgoing Streams Request Parameter described in rfc6525 section 4.5 and 4.6. They can be in one same chunk trunk as rfc6525 section 3.1-7 describes, so make them in one function. Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=a92ce1a42dde1caaee4afae67531e3e7acecf6e4'>sctp: implement sender-side procedures for SSN/TSN Reset Request Parameter</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+2</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> This patch is to implement Sender-Side Procedures for the SSN/TSN Reset Request Parameter descibed in rfc6525 section 5.1.4. It is also to add sockopt SCTP_RESET_ASSOC in rfc6525 section 6.3.3 for users. Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=c56480a1e90261842f54f3a5a9ebc12d827f0c3e'>sctp: add support for generating stream reconf ssn/tsn reset request chunk</a></td><td>Xin Long</td><td>2</td><td><span class='deletions'>-0</span>/<span class='insertions'>+7</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> This patch is to define SSN/TSN Reset Request Parameter described in rfc6525 section 4.3. Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-09 16:57:38 -0500'>2017-02-09</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=9faf1c0fd5a943e498dbc0c86ff42e965b347d08'>sctp: drop unnecessary __packed from some stream reconf structures</a></td><td>Xin Long</td><td>1</td><td><span class='deletions'>-3</span>/<span class='insertions'>+3</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> commit 85c727b59483 ("sctp: drop __packed from almost all SCTP structures") has removed __packed from almost all SCTP structures. But there still are three structures where it should be dropped. This patch is to remove it from some stream reconf structures. Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-08 15:25:18 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=982acb97560c8118c2109504a22b0d78a580547d'>ipv4: fib: Notify about nexthop status changes</a></td><td>Ido Schimmel</td><td>1</td><td><span class='deletions'>-0</span>/<span class='insertions'>+7</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> When a multipath route is hit the kernel doesn't consider nexthops that are DEAD or LINKDOWN when IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN is set. Devices that offload multipath routes need to be made aware of nexthop status changes. Otherwise, the device will keep forwarding packets to non-functional nexthops. Add the FIB_EVENT_NH_{ADD,DEL} events to the fib notification chain, which notify capable devices when they should add or delete a nexthop from their tables. Cc: Roopa Prabhu <roopa@cumulusnetworks.com> Cc: David Ahern <dsa@cumulusnetworks.com> Cc: Andy Gospodarek <andy@greyhouse.net> Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Reviewed-by: Andy Gospodarek <gospo@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-08 15:11:22 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=6a2cac549b368960c9cd6a993f2f2cc6d720e935'>net: stmmac: Remove the bus_setup function pointer</a></td><td>LABBE Corentin</td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+0</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> The bus_setup function pointer is not used at all, this patch remove it. Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com> Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-08 14:38:18 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=97e219b7c1f75b14b29abe28ad53e8709e8d15e5'>gro_cells: move to net/core/gro_cells.c</a></td><td>Eric Dumazet</td><td>1</td><td><span class='deletions'>-82</span>/<span class='insertions'>+4</span></td></tr> <tr class='nohover-highlight'><td/><td colspan='5' class='logmsg'> We have many gro cells users, so lets move the code to avoid duplication. This creates a CONFIG_GRO_CELLS option. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> </td></tr> <tr class='logheader'><td><span title='2017-02-08 13:29:04 -0500'>2017-02-08</span></td><td class='logsubject'><a href='/cgit.cgi/linux/net-next.git/commit/include?id=04d8a0a5f3b6887543850d991a5e37c4ec90e250'>net: phy: Add LED mode driver for Microsemi PHYs.</a></td><td>Raju Lakkaraju