An error occurred fetching the project authors.
- 08 Feb, 2007 2 commits
-
-
David S. Miller authored
Needed by xfrm_user and af_key. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Shinta Sugimoto authored
Extend the XFRM framework so that endpoint address(es) in the XFRM databases could be dynamically updated according to a request (MIGRATE message) from user application. Target XFRM policy is first identified by the selector in the MIGRATE message. Next, the endpoint addresses of the matching templates and XFRM states are updated according to the MIGRATE message. Signed-off-by:
Shinta Sugimoto <shinta.sugimoto@ericsson.com> Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 24 Jan, 2007 1 commit
-
-
Herbert Xu authored
The recent hashing introduced an off-by-one bug in policy list insertion. Instead of adding after the last entry with a lesser or equal priority, we're adding after the successor of that entry. This patch fixes this and also adds a warning if we detect a duplicate entry in the policy list. This should never happen due to this if clause. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 07 Dec, 2006 4 commits
-
-
Christoph Lameter authored
Replace all uses of kmem_cache_t with struct kmem_cache. The patch was generated using the following script: #!/bin/sh # # Replace one string by another in all the kernel sources. # set -e for file in `find * -name "*.c" -o -name "*.h"|xargs grep -l $1`; do quilt add $file sed -e "1,\$s/$1/$2/g" $file >/tmp/$$ mv /tmp/$$ $file quilt refresh done The script was run like this sh replace kmem_cache_t "struct kmem_cache" Signed-off-by:
Christoph Lameter <clameter@sgi.com> Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
Linus Torvalds <torvalds@osdl.org>
-
Joy Latten authored
Disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. Also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Signed-off-by:
Joy Latten <latten@austin.ibm.com> Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Joy Latten authored
An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by:
Joy Latten <latten@austin.ibm.com> Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Jamal Hadi Salim authored
This change optimizes the dumping of Security policies. 1) Before this change .. speedopolis:~# time ./ip xf pol real 0m22.274s user 0m0.000s sys 0m22.269s 2) Turn off sub-policies speedopolis:~# ./ip xf pol real 0m13.496s user 0m0.000s sys 0m13.493s i suppose the above is to be expected 3) With this change .. speedopolis:~# time ./ip x policy real 0m7.901s user 0m0.008s sys 0m7.896s
-
- 03 Dec, 2006 3 commits
-
-
Miika Komu authored
Signed-off-by:
Miika Komu <miika@iki.fi> Signed-off-by:
Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by:
Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Andrew Morton authored
Six callsites, huge. Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Venkat Yekkirala authored
Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by:
Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by:
James Morris <jmorris@namei.org>
-
- 22 Nov, 2006 1 commit
-
-
David Howells authored
Fix up for make allyesconfig. Signed-Off-By:
David Howells <dhowells@redhat.com>
-
- 12 Oct, 2006 3 commits
-
-
Venkat Yekkirala authored
This treats the security errors encountered in the case of socket policy matching, the same as how these are treated in the case of main/sub policies, which is to return a full lookup failure. Signed-off-by:
Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by:
James Morris <jmorris@namei.org>
-
Venkat Yekkirala authored
Currently when an IPSec policy rule doesn't specify a security context, it is assumed to be "unlabeled" by SELinux, and so the IPSec policy rule fails to match to a flow that it would otherwise match to, unless one has explicitly added an SELinux policy rule allowing the flow to "polmatch" to the "unlabeled" IPSec policy rules. In the absence of such an explicitly added SELinux policy rule, the IPSec policy rule fails to match and so the packet(s) flow in clear text without the otherwise applicable xfrm(s) applied. The above SELinux behavior violates the SELinux security notion of "deny by default" which should actually translate to "encrypt by default" in the above case. This was first reported by Evgeniy Polyakov and the way James Morris was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. With this patch applied, SELinux "polmatching" of flows Vs. IPSec policy rules will only come into play when there's a explicit context specified for the IPSec policy rule (which also means there's corresponding SELinux policy allowing appropriate domains/flows to polmatch to this context). Secondly, when a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return errors other than access denied, such as -EINVAL. We were not handling that correctly, and in fact inverting the return logic and propagating a false "ok" back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The solution for this is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). This patch: Fix the selinux side of things. This makes sure SELinux polmatching of flow contexts to IPSec policy rules comes into play only when an explicit context is associated with the IPSec policy rule. Also, this no longer defaults the context of a socket policy to the context of the socket since the "no explicit context" case is now handled properly. Signed-off-by:
Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by:
James Morris <jmorris@namei.org>
-
James Morris authored
When a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return an access denied permission (or other error). We were not handling that correctly, and in fact inverting the return logic and propagating a false "ok" back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The way I was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. The first SYNACK would be blocked, because of an uncached lookup via flow_cache_lookup(), which would fail to resolve an xfrm policy because the SELinux policy is checked at that point via the resolver. However, retransmitted SYNACKs would then find a cached flow entry when calling into flow_cache_lookup() with a null xfrm policy, which is interpreted by xfrm_lookup() as the packet not having any associated policy and similarly to the first case, allowing it to pass without transformation. The solution presented here is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). Signed-off-by:
James Morris <jmorris@namei.org>
-
- 04 Oct, 2006 1 commit
-
-
David S. Miller authored
When we flush policies, we do a type match so we might not actually delete all policies matching a certain direction. So keep track of how many policies we actually kill and subtract that number from xfrm_policy_count[dir] at the end. Based upon a patch by Masahide NAKAMURA. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 22 Sep, 2006 18 commits
-
-
Patrick McHardy authored
Hashing SAs by source address breaks templates with wildcards as tunnel source since the source address used for hashing/lookup is still 0/0. Move source address lookup to xfrm_tmpl_resolve_one() so we can use the real address in the lookup. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
James Morris authored
It seems that during the MIPv6 respin, some code which was originally conditionally compiled around CONFIG_XFRM_ADVANCED was accidently left in after the config option was removed. This patch removes an extraneous pointer (xerr_idxp) which is no longer needed. Signed-off-by:
James Morris <jmorris@namei.org> Acked-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Alexey Dobriyan authored
Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Even if we find an exact match in the hash table, we must inspect the inexact list to look for a match with a better priority. Noticed by Masahide NAKAMURA <nakam@linux-ipv6.org>. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
This idea is from Alexey Kuznetsov. It is common for policies to be non-prefixed. And for that case we can optimize lookups, insert, etc. quite a bit. For each direction, we have a dynamically sized policy hash table for non-prefixed policies. We also have a hash table on policy->index. For prefixed policies, we have a list per-direction which we will consult on lookups when a non-prefix hashtable lookup fails. This still isn't as efficient as I would like it. There are four immediate problems: 1) Lots of excessive refcounting, which can be fixed just like xfrm_state was 2) We do 2 hash probes on insert, one to look for dups and one to allocate a unique policy->index. Althought I wonder how much this matters since xfrm_state inserts do up to 3 hash probes and that seems to perform fine. 3) xfrm_policy_insert() is very complex because of the priority ordering and entry replacement logic. 4) Lots of counter bumping, in addition to policy refcounts, in the form of xfrm_policy_count[]. This is merely used to let code path(s) know that some IPSEC rules exist. So this count is indexed per-direction, maybe that is overkill. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Just let GC and other normal mechanisms take care of getting rid of DST cache references to deleted xfrm_state objects instead of walking all the policy bundles. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Instead, simply set all potentially aliasing existing xfrm_state objects to have the current generation counter value. This will make routes get relooked up the next time an existing route mentioning these aliased xfrm_state objects gets used, via xfrm_dst_check(). Signed-off-by:
David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Each xfrm_state inserted gets a new generation counter value. When a bundle is created, the xfrm_dst objects get the current generation counter of the xfrm_state they will attach to at dst->xfrm. xfrm_bundle_ok() will return false if it sees an xfrm_dst with a generation count different from the generation count of the xfrm_state that dst points to. This provides a facility by which to passively and cheaply invalidate cached IPSEC routes during SA database changes. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
Under two transformation policies it is required to merge them. This is a platform to sort state for outbound and templates for inbound respectively. It will be used when Mobile IPv6 and IPsec are used at the same time. Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
Sub policy is introduced. Main and sub policy are applied the same flow. (Policy that current kernel uses is named as main.) It is required another transformation policy management to keep IPsec and Mobile IPv6 lives separate. Policy which lives shorter time in kernel should be a sub i.e. normally main is for IPsec and sub is for Mobile IPv6. (Such usage as two IPsec policies on different database can be used, too.) Limitation or TODOs: - Sub policy is not supported for per socket one (it is always inserted as main). - Current kernel makes cached outbound with flowi to skip searching database. However this patch makes it disabled only when "two policies are used and the first matched one is bypass case" because neither flowi nor bundle information knows about transformation template size. Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
-
Masahide NAKAMURA authored
For Mobile IPv6 usage, it is required to trace which secpath state is reject factor in order to notify it to user space (to know the address which cannot be used route optimized communication). Based on MIPL2 kernel patch. This patch was also written by: Henrik Petander <petander@tcs.hut.fi> Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
For outbound transformation, bundle is checked whether it is suitable for current flow to be reused or not. In such IPv6 case as below, transformation may apply incorrect bundle for the flow instead of creating another bundle: - The policy selector has destination prefix length < 128 (Two or more addresses can be matched it) - Its bundle holds dst entry of default route whose prefix length < 128 (Previous traffic was used such route as next hop) - The policy and the bundle were used a transport mode state and this time flow address is not matched the bundled state. This issue is found by Mobile IPv6 usage to protect mobility signaling by IPsec, but it is not a Mobile IPv6 specific. This patch adds strict check to xfrm_bundle_ok() for each state mode and address when prefix length is less than 128. Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
On current kernel inbound transformation state is allowed transport and disallowed tunnel mode when mismatch is occurred between tempates and states. As the result of adding two more modes by Mobile IPv6, this function name is misleading. Inbound transformation can allow only transport mode when mismatch is occurred between template and secpath. Based on MIPL2 kernel patch. Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
For Mobile IPv6 usage, routing header or destination options header is used and it doesn't require this comparison. It is checked only for IPsec template. Based on MIPL2 kernel patch. Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Masahide NAKAMURA authored
Transformation mode is used as either IPsec transport or tunnel. It is required to add two more items, route optimization and inbound trigger for Mobile IPv6. Based on MIPL2 kernel patch. This patch was also written by: Ville Nuorvala <vnuorval@tcs.hut.fi> Signed-off-by:
Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Venkat Yekkirala authored
This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by:
Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Venkat Yekkirala authored
This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by:
Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 14 Aug, 2006 1 commit
-
-
David S. Miller authored
If dst->obsolete is -1, this is a signal from the bundle creator that we want the XFRM dst and the dsts that it references to be validated on every use. I misunderstood this intention when I changed xfrm_dst_check() to always return NULL. Now, when we purge a dst entry, by running dst_free() on it. This will set the dst->obsolete to a positive integer, and we want to return NULL in that case so that the socket does a relookup for the route. Thus, if dst->obsolete<0, let stale_bundle() validate the state, else always return NULL. In general, we need to do things more intelligently here because we flush too much state during rule changes. Herbert Xu has some ideas wherein the key manager gives us some help in this area. We can also use smarter state management algorithms inside of the kernel as well. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 21 Jul, 2006 1 commit
-
-
Panagiotis Issaris authored
Signed-off-by:
Panagiotis Issaris <takis@issaris.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 30 Jun, 2006 1 commit
-
-
Jörn Engel authored
Signed-off-by:
Jörn Engel <joern@wohnheim.fh-wedel.de> Signed-off-by:
Adrian Bunk <bunk@stusta.de>
-
- 18 Jun, 2006 2 commits
-
-
Herbert Xu authored
This patch adds the structure xfrm_mode. It is meant to represent the operations carried out by transport/tunnel modes. By doing this we allow additional encapsulation modes to be added without clogging up the xfrm_input/xfrm_output paths. Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and BEET modes. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Herbert Xu authored
The number of locks used to manage afinfo structures can easily be reduced down to one each for policy and state respectively. This is based on the observation that the write locks are only held by module insertion/removal which are very rare events so there is no need to further differentiate between the insertion of modules like ipv6 versus esp6. The removal of the read locks in xfrm4_policy.c/xfrm6_policy.c might look suspicious at first. However, after you realise that nobody ever takes the corresponding write lock you'll feel better :) As far as I can gather it's an attempt to guard against the removal of the corresponding modules. Since neither module can be unloaded at all we can leave it to whoever fixes up IPv6 unloading :) Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 30 Apr, 2006 2 commits
-
-
Ingo Molnar authored
xfrm_policy_afinfo_lock can be taken in bh context, at: [<c013fe1a>] lockdep_acquire_read+0x54/0x6d [<c0f6e024>] _read_lock+0x15/0x22 [<c0e8fcdb>] xfrm_policy_get_afinfo+0x1a/0x3d [<c0e8fd10>] xfrm_decode_session+0x12/0x32 [<c0e66094>] ip_route_me_harder+0x1c9/0x25b [<c0e770d3>] ip_nat_local_fn+0x94/0xad [<c0e2bbc8>] nf_iterate+0x2e/0x7a [<c0e2bc50>] nf_hook_slow+0x3c/0x9e [<c0e3a342>] ip_push_pending_frames+0x2de/0x3a7 [<c0e53e19>] icmp_push_reply+0x136/0x141 [<c0e543fb>] icmp_reply+0x118/0x1a0 [<c0e54581>] icmp_echo+0x44/0x46 [<c0e53fad>] icmp_rcv+0x111/0x138 [<c0e36764>] ip_local_deliver+0x150/0x1f9 [<c0e36be2>] ip_rcv+0x3d5/0x413 [<c0df760f>] netif_receive_skb+0x337/0x356 [<c0df76c3>] process_backlog+0x95/0x110 [<c0df5fe2>] net_rx_action+0xa5/0x16d [<c012d8a7>] __do_softirq+0x6f/0xe6 [<c0105ec2>] do_softirq+0x52/0xb1 this means that all write-locking of xfrm_policy_afinfo_lock must be bh-safe. This patch fixes xfrm_policy_register_afinfo() and xfrm_policy_unregister_afinfo(). Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Ingo Molnar authored
xfrm typemap->lock may be used in softirq context, so all write_lock() uses must be softirq-safe. Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
David S. Miller <davem@davemloft.net>
-