linux/net/netlabel, branch v4.9

netlabel: Implement CALIPSO config functions for SMACK.

2016-06-27T19:06:18Z

SMACK uses similar functions to control CIPSO, these are the equivalent functions for CALIPSO and follow exactly the same semantics. int netlbl_cfg_calipso_add(struct calipso_doi *doi_def, struct netlbl_audit *audit_info) Adds a CALIPSO doi. void netlbl_cfg_calipso_del(u32 doi, struct netlbl_audit *audit_info) Removes a CALIPSO doi. int netlbl_cfg_calipso_map_add(u32 doi, const char *domain, const struct in6_addr *addr, const struct in6_addr *mask, struct netlbl_audit *audit_info) Creates a mapping between a domain and a CALIPSO doi. If addr and mask are non-NULL this creates an address-selector type mapping. This also extends netlbl_cfg_map_del() to remove IPv6 address-selector mappings. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

calipso: Add a label cache.

2016-06-27T19:06:17Z

This works in exactly the same way as the CIPSO label cache. The idea is to allow the lsm to cache the result of a secattr lookup so that it doesn't need to perform the lookup for every skbuff. It introduces two sysctl controls: calipso_cache_enable - enables/disables the cache. calipso_cache_bucket_size - sets the size of a cache bucket. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

netlabel: Pass a family parameter to netlbl_skbuff_err().

2016-06-27T19:06:16Z

This makes it possible to route the error to the appropriate labelling engine. CALIPSO is far less verbose than CIPSO when encountering a bogus packet, so there is no need for a CALIPSO error handler. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

calipso: Allow the lsm to label the skbuff directly.

2016-06-27T19:06:15Z

In some cases, the lsm needs to add the label to the skbuff directly. A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4 behaviour. This allows selinux to label the skbuffs that it requires. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

calipso: Allow request sockets to be relabelled by the lsm.

2016-06-27T19:05:29Z

Request sockets need to have a label that takes into account the incoming connection as well as their parent's label. This is used for the outgoing SYN-ACK and for their child full-socket. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

calipso: Set the calipso socket label to match the secattr.

2016-06-27T19:02:51Z

CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on the equivalent CISPO code. The main difference is due to manipulating the options in the hop-by-hop header. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

netlabel: Move bitmap manipulation functions to the NetLabel core.

2016-06-27T19:02:51Z

This is to allow the CALIPSO labelling engine to use these. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

netlabel: Add support for removing a CALIPSO DOI.

2016-06-27T19:02:49Z

Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command. It requires the attribute: NLBL_CALIPSO_A_DOI. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

netlabel: Add support for creating a CALIPSO protocol domain mapping.

2016-06-27T19:02:49Z

This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands to accept CALIPSO protocol DOIs. Signed-off-by: Huw Davies Signed-off-by: Paul Moore

netlabel: Add support for enumerating the CALIPSO DOI list.

2016-06-27T19:02:48Z

Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command. It takes no attributes. Signed-off-by: Huw Davies Signed-off-by: Paul Moore