1. 21 Jan, 2015 3 commits
    • Rafal Krypa's avatar
      smack: Add missing logging in bidirectional UDS connect check · 138a868f
      Rafal Krypa authored
      During UDS connection check, both sides are checked for write access to
      the other side. But only the first check is performed with audit support.
      The second one didn't produce any audit logs. This simple patch fixes that.
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      138a868f
    • Casey Schaufler's avatar
      Smack: secmark support for netfilter · 69f287ae
      Casey Schaufler authored
      Smack uses CIPSO to label internet packets and thus provide
      for access control on delivery of packets. The netfilter facility
      was not used to allow for Smack to work properly without netfilter
      configuration. Smack does not need netfilter, however there are
      cases where it would be handy.
      
      As a side effect, the labeling of local IPv4 packets can be optimized
      and the handling of local IPv6 packets is just all out better.
      
      The best part is that the netfilter tools use "contexts" that
      are just strings, and they work just as well for Smack as they
      do for SELinux.
      
      All of the conditional compilation for IPv6 was implemented
      by Rafal Krypa <r.krypa@samsung.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      69f287ae
    • Casey Schaufler's avatar
      Smack: Rework file hooks · 5e7270a6
      Casey Schaufler authored
      This is one of those cases where you look at code you did
      years ago and wonder what you might have been thinking.
      There are a number of LSM hooks that work off of file pointers,
      and most of them really want the security data from the inode.
      Some, however, really want the security context that the process
      had when the file was opened. The difference went undetected in
      Smack until it started getting used in a real system with real
      testing. At that point it was clear that something was amiss.
      
      This patch corrects the misuse of the f_security value in several
      of the hooks. The behavior will not usually be any different, as
      the process had to be able to open the file in the first place, and
      the old check almost always succeeded, as will the new, but for
      different reasons.
      
      Thanks to the Samsung Tizen development team that identified this.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      5e7270a6
  2. 19 Jan, 2015 4 commits
  3. 15 Jan, 2015 1 commit
  4. 14 Jan, 2015 20 commits
  5. 13 Jan, 2015 12 commits