Changes to the core network stack to support the NetLabel subsystem. This
includes changes to the IPv4 option handling to support CIPSO labels.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This automatically labels the TCP, Unix stream, and dccp child sockets
as well as openreqs to be at the same MLS level as the peer. This will
result in the selection of appropriately labeled IPSec Security
Associations.
This also uses the sock's sid (as opposed to the isec sid) in SELinux
enforcement of secmark in rcv_skb and postroute_last hooks.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.
The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.
ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This adds security to flow key for labeling of flows as also to allow
for making flow cache lookups based on the security label seemless.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This adds security for IP sockets at the sock level. Security at the
sock level is needed to enforce the SELinux security policy for
security associations even when a sock is orphaned (such as in the TCP
LAST_ACK state).
This will also be used to enforce SELinux controls over data arriving
at or leaving a child socket while it's still waiting to be accepted.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
* git://git.infradead.org/~dwmw2/hdroneline:
[HEADERS] One line per header in Kbuild files to reduce conflicts
Manual (trivial) conflict resolution in include/asm-s390/Kbuild
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (64 commits)
[BLOCK] dm-crypt: trivial comment improvements
[CRYPTO] api: Deprecate crypto_digest_* and crypto_alg_available
[CRYPTO] padlock: Convert padlock-sha to use crypto_hash
[CRYPTO] users: Use crypto_comp and crypto_has_*
[CRYPTO] api: Add crypto_comp and crypto_has_*
[CRYPTO] users: Use crypto_hash interface instead of crypto_digest
[SCSI] iscsi: Use crypto_hash interface instead of crypto_digest
[CRYPTO] digest: Remove old HMAC implementation
[CRYPTO] doc: Update documentation for hash and me
[SCTP]: Use HMAC template and hash interface
[IPSEC]: Use HMAC template and hash interface
[CRYPTO] tcrypt: Use HMAC template and hash interface
[CRYPTO] hmac: Add crypto template implementation
[CRYPTO] digest: Added user API for new hash type
[CRYPTO] api: Mark parts of cipher interface as deprecated
[PATCH] scatterlist: Add const to sg_set_buf/sg_init_one pointer argument
[CRYPTO] drivers: Remove obsolete block cipher operations
[CRYPTO] users: Use block ciphers where applicable
[SUNRPC] GSS: Use block ciphers where applicable
[IPSEC] ESP: Use block ciphers where applicable
...
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6: (44 commits)
[S390] hypfs crashes with invalid mount option.
[S390] cio: subchannel evaluation function operates without lock
[S390] cio: always query all paths on path verification.
[S390] cio: update path groups on logical CHPID changes.
[S390] cio: subchannels in no-path state.
[S390] Replace nopav-message on VM.
[S390] set modalias for ccw bus uevents.
[S390] Get rid of DBG macro.
[S390] Use alternative user-copy operations for new hardware.
[S390] Make user-copy operations run-time configurable.
[S390] Cleanup in signal handling code.
[S390] Cleanup in page table related code.
[S390] Linux API for writing z/VM APPLDATA Monitor records.
[S390] xpram off by one error.
[S390] Remove kexec experimental flag.
[S390] cleanup appldata.
[S390] fix typo in vmcp.
[S390] Kernel stack overflow handling.
[S390] qdio slsb processing state.
[S390] Missing initialization in common i/o layer.
...
ioremap must be balanced by an iounmap and failing to do so can result
in a memory leak.
Tested (compilation only) with:
- allmodconfig
- Modifying drivers/mtd/maps/Kconfig and drivers/mtd/nand/Kconfig to
make sure that the changed file is compiling without warning
Signed-off-by: Amol Lad <amol@verismonetworks.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Introduce the MTD_STUPID_LOCK flag which indicates that the flash chip is
always locked after power-up, so all sectors need to be unlocked before it
is usable.
If this flag is set, and the chip provides an unlock() operation,
mtd_add_device will unlock the whole MTD device if it's writeable. This
means that non-writeable partitions will stay locked.
Set MTD_STUPID_LOCK in fixup_use_atmel_lock() so that these chips will work
as expected.
Signed-off-by: Håvard Skinnemoen <hskinnemoen@atmel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Ulrich Weigand found a bug with the current version of the
asm-powerpc/ptrace.h that prevents building at least the
SPU target version of gdb, since some ptrace opcodes are
not defined.
The problem seems to have originated in the merging of 32 and
64 bit versions of that file, the problem is that some opcodes
are only valid on 64 bit kernels, but are also used by 32 bit
programs, so they can't depends on the __powerpc64__ symbol.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
This looks like cruft to me, these functions don't exist AFAICT,
and I can't see that it's possible to even enable DISCONTIGMEM on
powerpc anymore. CC'ing some folks who might know better, based on
the who-touched-it-last principle.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
This patch changes the io operations so that they are out of line if
CONFIG_PPC_ISERIES is set and includes a firmware feature check in
that case.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
The fs_no mean used to be fs_enet driver driven, hence it was an
enumeration across all the possible fs_enet "users" in the SoC. Now, with
QE on the pipeline, and to make DTS descriptions more clear, fs_no features
relevant SoC part number, with additional field to describe the SoC type.
Another reason for that is now not only fs_enet is going to utilize those
stuff. There might be UART, HLDC, and even USB, so to prevent confusion and
be ready for upcoming OF_device transfer, fs_enet and cpm_uart drivers were
updated in that concern, as well as the relevant DTS.
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
Incorporating the new way of cpm2 immr access, introduced in the previous
patch, into CPM2 peripheral devices (fs_enet and cpm_uart). Both ppc and
powerpc approved working( real actions taken in powerpc only, ppc just
has a wrapper to keep init stuff consistent).
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
The stuff below cleans up the code attempting to remap the whole cpm2_immr
early, as well as places happily assuming that fact. This is more like the 2.4
legacy stuff, and is at least confusing and unclear now.
To keep the world comfortable, a new mechanism is introduced: before accessing
specific immr register/register set, one needs to map it, using cpm2_map(<reg>),
for instance, access to CPM command register will look like
volatile cpm_cpm2_t *cp = cpm2_map(im_cpm);
keeping the code clear, yet without "already defined somewhere" cpm2_immr.
So far, unmapping code is not implemented, but it's not a big deal to add it,
if the whole idea makes sense.
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
This makes the 8560 evaluation board fully supported under arch/powerpc,
as the first board with CPM2 SoC peripherals. The brand new devicetree
nodes are introduced (intending to be a subset of the QuiccEngine-equipped
models, with dts sources placed into the kernel according to the new convention.
Assuming all the preceding stuff applied (PAL+fs_enet related+ CPM_UART
update), the both TSEC eth ,FCC Eths, and both SCC UARTs are
working. The relevant drivers are still capable to drive users in ppc,
which was verified with 8272ADS (SCC uart+FCC eth).
This is also verified on mpc8540 and actually make it work (PCI stuff
working as well)
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
This moves the cpm2 common code and PIC stuff to the powerpc. Most of the files
were just copied from ppc/, with minor tuning to make it compile, and, subsequently, work.
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
Driver core has been updated to make use of the new powerpc OF-inspired
platform devices, yet keeping compatibility to the vast board list from
ppc.
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com>
This fixes some debug register defines on PPC 40x that were incorrect.
Signed-off-by: Josh Boyer <jdub@us.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Add wrapper around the rtas call to enable MMIO or DMA on a frozen pci
slot.
Signed-off-by: Linas Vepstas <linas@austin.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
This fixes most of the issues with exported headers on CRIS, although
we do still need to deal with the asm/arch symlink.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mostly removing files which have no business being used in userspace.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
> asm-m32r/page.h requires asm-generic/memory_model.h, which does not exist
> asm-m32r/ptrace.h requires asm/m32r.h, which does not exist
> asm-m32r/signal.h requires linux/linkage.h, which does not exist
> asm-m32r/unistd.h requires asm/syscall.h, which does not exist
> asm-m32r/user.h requires asm/processor.h, which does not exist
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Cleanup for user headers, as noted:
asm-sh64/page.h requires asm-generic/memory_model.h, which does not exist in exported headers
asm-sh64/shmparam.h requires asm/cache.h, which does not exist in exported headers
asm-sh64/signal.h requires asm/processor.h, which does not exist in exported headers
asm-sh64/user.h requires asm/processor.h, which does not exist in exported headers
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Cleanup for user headers, as noted:
asm-sh/page.h requires asm-generic/memory_model.h, which does not exist in exported headers
asm-sh/ptrace.h requires asm/ubc.h, which does not exist in exported headers
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This patch marks the crypto_digest_* functions and crypto_alg_available
as deprecated. They've been replaced by crypto_hash_* and crypto_has_*
respectively.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch converts padlock-sha to use crypto_hash for its fallback.
It also changes the fallback selection to use selection by type instead
of name. This is done through the new CRYPTO_ALG_NEED_FALLBACK bit,
which is set if and only if an algorithm needs a fallback of the same
type.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds the crypto_comp type to complete the compile-time checking
conversion. The functions crypto_has_alg and crypto_has_cipher, etc. are
also added to replace crypto_alg_available.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch removes the old HMAC implementation now that nobody uses it
anymore.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch converts SCTP to use the new HMAC template and hash interface.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch converts IPsec to use the new HMAC template. The names of
existing simple digest algorithms may still be used to refer to their
HMAC composites.
The same structure can be used by other MACs such as AES-XCBC-MAC.
This patch also switches from the digest interface to hash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
The existing digest user interface is inadequate for support asynchronous
operations. For one it doesn't return a value to indicate success or
failure, nor does it take a per-operation descriptor which is essential
for the issuing of requests while other requests are still outstanding.
This patch is the first in a series of steps to remodel the interface
for asynchronous operations.
For the ease of transition the new interface will be known as "hash"
while the old one will remain as "digest".
This patch also changes sg_next to allow chaining.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Mark the parts of the cipher interface that have been replaced by
block ciphers as deprecated. Thanks to Andrew Morton for suggesting
doing this before removing them completely.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds a const modifier to the buf argument of sg_set_buf and
sg_init_one. This lets people call it with pointers that are const.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
