redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net/netfilter
History
Paul Moore d621d35e57 SELinux: Enable dynamic enable/disable of the network access checks 
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem.  In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased.  In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed.  These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.

NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.

This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
2008-01-30 08:17:26 +11:00
..
core.c [NETFILTER]: kill nf_sysctl.c 2008-01-28 15:02:40 -08:00
Kconfig [NETFILTER]: Rename ipt_iprange to xt_iprange 2008-01-28 15:02:27 -08:00
Makefile [NETFILTER]: kill nf_sysctl.c 2008-01-28 15:02:40 -08:00
nf_conntrack_amanda.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_core.c [NETFILTER]: nf_conntrack: clean up a few header files 2008-01-28 15:02:41 -08:00
nf_conntrack_ecache.c [NETFILTER]: nf_conntrack_expect: function naming unification 2007-07-10 22:17:53 -07:00
nf_conntrack_expect.c [NETFILTER]: non-power-of-two jhash optimizations 2008-01-28 14:59:11 -08:00
nf_conntrack_extend.c [NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage() 2007-11-15 15:52:32 -08:00
nf_conntrack_ftp.c [NETFILTER]: Introduce nf_inet_address 2008-01-28 14:59:07 -08:00
nf_conntrack_h323_asn1.c [NETFILTER]: Parenthesize macro parameters 2008-01-28 14:59:08 -08:00
nf_conntrack_h323_main.c [NETFILTER]: Introduce nf_inet_address 2008-01-28 14:59:07 -08:00
nf_conntrack_h323_types.c [NETFILTER]: nf_conntrack_h323: fix ASN.1 types 2007-05-24 16:42:26 -07:00
nf_conntrack_helper.c netfilter endian regressions 2007-07-26 11:11:56 -07:00
nf_conntrack_irc.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_l3proto_generic.c [NETFILTER]: nf_conntrack: remove print_conntrack function from l3protos 2008-01-28 15:02:41 -08:00
nf_conntrack_netbios_ns.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_netlink.c [NETFILTER]: Kill some supper dupper bloatry 2008-01-28 15:00:41 -08:00
nf_conntrack_pptp.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_proto.c [NETFILTER]: Use the ctl paths instead of hand-made analogue 2008-01-28 15:01:11 -08:00
nf_conntrack_proto_generic.c [NETFILTER]: nf_conntrack: make print_conntrack function optional for l4protos 2008-01-28 15:02:42 -08:00
nf_conntrack_proto_gre.c [NETFILTER]: ctnetlink: use netlink policy 2007-10-10 16:53:35 -07:00
nf_conntrack_proto_sctp.c [NETFILTER]: nf_conntrack_sctp: remove timeout indirection 2008-01-28 15:02:39 -08:00
nf_conntrack_proto_tcp.c [NETFILTER]: nf_conntrack_tcp: remove timeout indirection 2008-01-28 15:02:32 -08:00
nf_conntrack_proto_udp.c [NETFILTER]: nf_conntrack: make print_conntrack function optional for l4protos 2008-01-28 15:02:42 -08:00
nf_conntrack_proto_udplite.c [NETFILTER]: nf_conntrack: make print_conntrack function optional for l4protos 2008-01-28 15:02:42 -08:00
nf_conntrack_sane.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_sip.c [NETFILTER]: Introduce nf_inet_address 2008-01-28 14:59:07 -08:00
nf_conntrack_standalone.c [NETFILTER]: nf_conntrack: make print_conntrack function optional for l4protos 2008-01-28 15:02:42 -08:00
nf_conntrack_tftp.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_internals.h [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_log.c [NETFILTER]: nf_log: remove incomprehensible comment 2008-01-28 14:59:00 -08:00
nf_queue.c [NETFILTER]: constify nf_afinfo 2008-01-28 14:59:05 -08:00
nf_sockopt.c [NETFILTER]: fix compat_nf_sockopt typo 2007-11-15 14:29:21 -08:00
nfnetlink.c [NETNS]: Consolidate kernel netlink socket destruction. 2008-01-28 15:08:07 -08:00
nfnetlink_log.c [NETFILTER]: nfnetlink_log: include GID in netlink message 2008-01-28 14:59:04 -08:00
nfnetlink_queue.c [NETFILTER]: nfnetlink_{queue,log}: return proper error codes in instance_create 2008-01-28 14:59:02 -08:00
x_tables.c [NETFILTER]: ip_tables: move compat offset calculation to x_tables 2008-01-28 14:58:31 -08:00
xt_CLASSIFY.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_comment.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_connbytes.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_connlimit.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_connmark.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_CONNMARK.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_CONNSECMARK.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_conntrack.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_dccp.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_DSCP.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_dscp.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_esp.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_hashlimit.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_helper.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_iprange.c [NETFILTER]: xt_iprange match, revision 1 2008-01-28 15:02:28 -08:00
xt_length.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_limit.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_mac.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_mark.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_MARK.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_multiport.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_NFLOG.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_NFQUEUE.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_NOTRACK.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_owner.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_physdev.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_pkttype.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_policy.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_quota.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_RATEEST.c [NET_SCHED]: Convert packet schedulers from rtnetlink to new netlink API 2008-01-28 15:11:10 -08:00
xt_rateest.c [NETFILTER]: x_tables: add rateest match 2008-01-28 14:56:03 -08:00
xt_realm.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_sctp.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_SECMARK.c SELinux: Enable dynamic enable/disable of the network access checks 2008-01-30 08:17:26 +11:00
xt_state.c [NETFILTER]: x_tables: use %u format specifiers 2008-01-28 14:59:07 -08:00
xt_statistic.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_string.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_TCPMSS.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_tcpmss.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_TCPOPTSTRIP.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_tcpudp.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_time.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_TRACE.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00
xt_u32.c [NETFILTER]: Update modules' descriptions 2008-01-28 15:02:26 -08:00