diff v24→v28 (patch 7) | series

Inter-revision diff: patch 7

Comparing v24 (message) to v28 (message)
--- v24
+++ v28
@@ -5,6 +5,8 @@
 The security module hook is unchanged, still passing back a secid.
 The infrastructure passes the correct entry from the lsmblob.
 
+Acked-by: Paul Moore <paul@paul-moore.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 Cc: netdev@vger.kernel.org
 Cc: netfilter-devel@vger.kernel.org
@@ -19,7 +21,7 @@
  6 files changed, 85 insertions(+), 25 deletions(-)
 
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 5d8dbfb1dabb..af1d69b41f1c 100644
+index 332df8a1cd4d..986a8f4bcd54 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
@@ -50,7 +52,7 @@
  /* These functions are in security/commoncap.c */
  extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
  		       int cap, unsigned int opts);
-@@ -513,7 +534,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
  int security_ismaclabel(const char *name);
  int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -60,7 +62,7 @@
  void security_release_secctx(char *secdata, u32 seclen);
  void security_inode_invalidate_secctx(struct inode *inode);
  int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
-@@ -1340,7 +1362,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
+@@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
  
  static inline int security_secctx_to_secid(const char *secdata,
  					   u32 seclen,
@@ -70,10 +72,10 @@
  	return -EOPNOTSUPP;
  }
 diff --git a/kernel/cred.c b/kernel/cred.c
-index 22e0e7cbefde..848306c7d823 100644
+index ea36ec6e1ad8..38b00a1390f4 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
-@@ -757,14 +757,12 @@ EXPORT_SYMBOL(set_security_override);
+@@ -798,14 +798,12 @@ EXPORT_SYMBOL(set_security_override);
  int set_security_override_from_ctx(struct cred *new, const char *secctx)
  {
  	struct lsmblob blob;
@@ -90,10 +92,10 @@
  }
  EXPORT_SYMBOL(set_security_override_from_ctx);
 diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
-index bf4b3ad5314c..58a994db0069 100644
+index a7e01e9952f1..f9448e81798e 100644
 --- a/net/netfilter/nft_meta.c
 +++ b/net/netfilter/nft_meta.c
-@@ -811,21 +811,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
+@@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
  
  static int nft_secmark_compute_secid(struct nft_secmark *priv)
  {
@@ -121,12 +123,12 @@
  }
  
 diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
-index 75625d13e976..9845d98e6b77 100644
+index 498a0bf6f044..87ca3a537d1c 100644
 --- a/net/netfilter/xt_SECMARK.c
 +++ b/net/netfilter/xt_SECMARK.c
-@@ -43,13 +43,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
- 
- static int checkentry_lsm(struct xt_secmark_target_info *info)
+@@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
+ 
+ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
  {
 +	struct lsmblob blob;
  	int err;
@@ -140,7 +142,7 @@
  	if (err) {
  		if (err == -EINVAL)
  			pr_info_ratelimited("invalid security context \'%s\'\n",
-@@ -57,6 +58,10 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
+@@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
  		return err;
  	}
  
@@ -152,7 +154,7 @@
  		pr_info_ratelimited("unable to map security context \'%s\'\n",
  				    info->secctx);
 diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
-index ccb491642811..df9448af23dd 100644
+index 2483df0bbd7c..c29a8d7a7070 100644
 --- a/net/netlabel/netlabel_unlabeled.c
 +++ b/net/netlabel/netlabel_unlabeled.c
 @@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
@@ -215,10 +217,10 @@
  
  /**
 diff --git a/security/security.c b/security/security.c
-index a3e162c4c0d3..1039f8a8ed09 100644
+index 69474918be8b..1621a28bf9c4 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -2127,10 +2127,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+@@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
  }
  EXPORT_SYMBOL(security_secid_to_secctx);
  
@@ -244,7 +246,7 @@
  }
  EXPORT_SYMBOL(security_secctx_to_secid);
  
-@@ -2281,10 +2293,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+@@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
  				optval, optlen, len);
  }
  
@@ -275,5 +277,5 @@
  EXPORT_SYMBOL(security_socket_getpeersec_dgram);
  
 -- 
-2.25.4
-
+2.31.1
+
`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help