login
Search
The following changes since commit de46c33745f5e2ad594c72f2cf5f490861b16ce1:
Linus Torvalds (1):
Linux 2.6.21are found in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-linus
James Carter (4):
selinux: export initial SID contexts via selinuxfs
selinux: explicitly number all selinuxfs inodes
selinux: remove unused enumeration constant from selinuxfs
selinux: change numbering of boolean directory inodes in selinuxfsPaul Moore (5):
NetLabel: cleanup and document CIPSO constants
NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
SELinux: extract the NetLabel SELinux support from the security server
SELinux: rename selinux_netlabel.h to netlabel.h
SELinux: move security_skb_extlbl_sid() out of the security serverStephen Smalley (3):
MAINTAINERS: update selinux entry
selinux: remove userland security class and permission definitions
selinux: preserve boolean values across policy reloadsMAINTAINERS | 4 +-
net/ipv4/cipso_ipv4.c | 41 ++-
net/netlabel/netlabel_kapi.c | 3 -
security/selinux/Makefile | 2 +
security/selinux/avc.c | 2 +
security/selinux/hooks.c | 38 ++-
security/selinux/include/av_perm_to_string.h | 102 ----
security/selinux/include/av_permissions.h | 179 -------
security/selinux/include/class_to_string.h | 34 +-
security/selinux/include/flask.h | 16 -
.../include/{selinux_netlabel.h => netlabel.h} | 71 ++--
security/selinux/include/security.h | 29 +-
security/selinux/netlabel.c | 363 ++++++++++++++
security/selinux/selinuxfs.c | 85 +++-
security/selinux/ss/services.c | 499 +++++--...
From: Stephen Smalley <sds@tycho.nsa.gov>
At present, the userland policy loading code has to go through contortions
to preserve boolean values across policy reloads, and cannot do so
atomically. As this is what we always want to do for reloads, let the
kernel preserve them instead.Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/ss/services.c | 38 ++++++++++++++++++++++++++++++++++++++
1 files changed, 38 insertions(+), 0 deletions(-)diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 21b8318..40660ff 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1257,6 +1257,7 @@ bad:
}extern void selinux_complete_init(void);
+static int security_preserve_bools(struct policydb *p);/**
* security_load_policy - Load a security policy configuration.
@@ -1333,6 +1334,12 @@ int security_load_policy(void *data, size_t len)
goto err;
}+ rc = security_preserve_bools(&newpolicydb);
+ if (rc) {
+ printk(KERN_ERR "security: unable to preserve booleans\n");
+ goto err;
+ }
+
/* Clone the SID table. */
sidtab_shutdown(&sidtab);
if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
@@ -1890,6 +1897,37 @@ out:
return rc;
}+static int security_preserve_bools(struct policydb *p)
+{
+ int rc, nbools = 0, *bvalues = NULL, i;
+ char **bnames = NULL;
+ struct cond_bool_datum *booldatum;
+ struct cond_node *cur;
+
+ rc = security_get_bools(&nbools, &bnames, &bvalues);
+ if (rc)
+ goto out;
+ for (i = 0; i < nbools; i++) {
+ booldatum = hashtab_search(p->p_bools.table, bnames[i]);
+ if (booldatum)
+ booldatum->state = bvalues[i];
+ }
+ for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+ rc = evaluate_cond_node(p, cur);
+ if (rc)
+ goto out;
+ }
+
+out:
+ if (bnames) {
+...
From: James Carter <jwcart2@tycho.nsa.gov>
Change the numbering of the booleans directory inodes in selinuxfs to
provide more room for new inodes without a conflict in inode numbers and
to be consistent with how inode numbering is done in the
initial_contexts directory.Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@parisplace.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/selinuxfs.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 097bc04..aca099a 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -105,6 +105,7 @@ enum sel_inos {
static unsigned long sel_last_ino = SEL_INO_NEXT - 1;#define SEL_INITCON_INO_OFFSET 0x01000000
+#define SEL_BOOL_INO_OFFSET 0x02000000
#define SEL_INO_MASK 0x00ffffff#define TMPBUFLEN 12
@@ -782,8 +783,6 @@ static struct inode *sel_make_inode(struct super_block *sb, int mode)
return ret;
}-#define BOOL_INO_OFFSET 30
-
static ssize_t sel_read_bool(struct file *filep, char __user *buf,
size_t count, loff_t *ppos)
{
@@ -811,14 +810,14 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
}inode = filep->f_path.dentry->d_inode;
- cur_enforcing = security_get_bool_value(inode->i_ino - BOOL_INO_OFFSET);
+ cur_enforcing = security_get_bool_value(inode->i_ino&SEL_INO_MASK);
if (cur_enforcing < 0) {
ret = cur_enforcing;
goto out;
}length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
- bool_pending_values[inode->i_ino - BOOL_INO_OFFSET]);
+ bool_pending_values[inode->i_ino&SEL_INO_MASK]);
ret = simple_read_from_buffer(buf, count, ppos, page, length);
out:
mutex_unlock(&sel_mutex);
@@ -870,7 +869,7 @@ static ssize_t sel_write_bool(struct file *filep, const char ...
From: James Carter <jwcart2@tycho.nsa.gov>
Remove the unused enumeration constant, SEL_AVC, from the sel_inos
enumeration in selinuxfs.Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@parisplace.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/selinuxfs.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 1a786db..097bc04 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -96,7 +96,6 @@ enum sel_inos {
SEL_COMMIT_BOOLS, /* commit new boolean values */
SEL_MLS, /* return if MLS policy is enabled */
SEL_DISABLE, /* disable SELinux until next reboot */
- SEL_AVC, /* AVC management directory */
SEL_MEMBER, /* compute polyinstantiation membership decision */
SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
SEL_COMPAT_NET, /* whether to use old compat network packet controls */
--
1.5.0.6-
From: James Carter <jwcart2@tycho.nsa.gov>
Explicitly number all selinuxfs inodes to prevent a conflict between
inodes numbered using last_ino when created with new_inode() and those
labeled explicitly.Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@parisplace.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/selinuxfs.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index e24235c..1a786db 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -100,8 +100,11 @@ enum sel_inos {
SEL_MEMBER, /* compute polyinstantiation membership decision */
SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
SEL_COMPAT_NET, /* whether to use old compat network packet controls */
+ SEL_INO_NEXT, /* The next inode number to use */
};+static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
+
#define SEL_INITCON_INO_OFFSET 0x01000000
#define SEL_INO_MASK 0x00ffffff@@ -1237,6 +1240,7 @@ static int sel_make_avc_files(struct dentry *dir)
goto out;
}
inode->i_fop = files[i].ops;
+ inode->i_ino = ++sel_last_ino;
d_add(dentry, inode);
}
out:
@@ -1304,6 +1308,7 @@ static int sel_make_dir(struct inode *dir, struct dentry *dentry)
}
inode->i_op = &simple_dir_inode_operations;
inode->i_fop = &simple_dir_operations;
+ inode->i_ino = ++sel_last_ino;
/* directory inodes start off with i_nlink == 2 (for "." entry) */
inc_nlink(inode);
d_add(dentry, inode);
@@ -1366,6 +1371,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
ret = -ENOMEM;
goto err;
}
+ inode->i_ino = ++sel_last_ino;
isec = (struct inode_security_struct*)inode->i_security;
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
...
From: James Carter <jwcart2@tycho.nsa.gov>
Make the initial SID contexts accessible to userspace via selinuxfs.
An initial use of this support will be to make the unlabeled context
available to libselinux for use for invalidated userspace SIDs.Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/include/security.h | 2 +
security/selinux/selinuxfs.c | 67 +++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 7 ++++
3 files changed, 76 insertions(+), 0 deletions(-)diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bfe562c..b94378a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -123,5 +123,7 @@ static inline int security_netlbl_sid_to_secattr(u32 sid,
}
#endif /* CONFIG_NETLABEL */+const char *security_get_initial_sid_context(u32 sid);
+
#endif /* _SELINUX_SECURITY_H_ */diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 93b3177..e24235c 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -102,6 +102,9 @@ enum sel_inos {
SEL_COMPAT_NET, /* whether to use old compat network packet controls */
};+#define SEL_INITCON_INO_OFFSET 0x01000000
+#define SEL_INO_MASK 0x00ffffff
+
#define TMPBUFLEN 12
static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
size_t count, loff_t *ppos)
@@ -1240,6 +1243,55 @@ out:
return ret;
}+static ssize_t sel_read_initcon(struct file * file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct inode *inode;
+ char *con;
+ u32 sid, len;
+ ssize_t ret;
+
+ inode = file->f_path.dentry->d_inode;
+ sid = inode->i_ino&SEL_INO_MASK;
+ ret = security_sid_to_context(sid, &con, &len);
+ if (ret < 0)
+ return ret;
+
+ ret = simple_read_from_buffer(b...
From: Stephen Smalley <sds@tycho.nsa.gov>
Remove userland security class and permission definitions from the kernel
as the kernel only needs to use and validate its own class and permission
definitions and userland definitions may change.Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/avc.c | 2 +
security/selinux/include/av_perm_to_string.h | 102 ---------------
security/selinux/include/av_permissions.h | 179 --------------------------
security/selinux/include/class_to_string.h | 34 +++---
security/selinux/include/flask.h | 16 ---
security/selinux/ss/services.c | 2 +
6 files changed, 21 insertions(+), 314 deletions(-)diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index da8caf1..e4396a8 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -217,6 +217,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
audit_log_format(ab, " tcontext=%s", scontext);
kfree(scontext);
}
+
+ BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
}diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index ad9fb2d..b83e740 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -128,96 +128,6 @@
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
- S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
- S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
- S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
- S_(SECCLASS_PASSWD, PASSWD__ROOTOK, "rootok")
- S_(SECCLASS_PASSWD, PASSWD__CRONTAB, "crontab")
- S_(SECCLASS_DRAWABLE, DRAWABLE__CRE...
From: Paul Moore <paul.moore@hp.com>
As suggested, move the security_skb_extlbl_sid() function out of the security
server and into the SELinux hooks file.Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/hooks.c | 36 ++++++++++++++++++++++++++++++----
security/selinux/include/security.h | 3 --
security/selinux/ss/services.c | 27 --------------------------
3 files changed, 31 insertions(+), 35 deletions(-)diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7f8d0b1..68629aa 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
return ret;
}+/**
+ * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
+ * @sid: the packet's SID
+ *
+ * Description:
+ * Check the various different forms of external packet labeling and determine
+ * the external SID for the packet.
+ *
+ */
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+ u32 base_sid,
+ u32 *sid)
+{
+ u32 xfrm_sid;
+ u32 nlbl_sid;
+
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+ if (selinux_netlbl_skbuff_getsid(skb,
+ (xfrm_sid == SECSID_NULL ?
+ base_sid : xfrm_sid),
+ &nlbl_sid) != 0)
+ nlbl_sid = SECSID_NULL;
+
+ *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+}
+
/* socket security operations */
static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms)
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- security_skb_extl...
From: Stephen Smalley <sds@tycho.nsa.gov>
Add Eric Paris as an SELinux maintainer.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---
MAINTAINERS | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)diff --git a/MAINTAINERS b/MAINTAINERS
index 277877a..4d487c3 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2961,8 +2961,10 @@ P: Stephen Smalley
M: sds@tycho.nsa.gov
P: James Morris
M: jmorris@namei.org
+P: Eric Paris
+M: eparis@parisplace.org
L: linux-kernel@vger.kernel.org (kernel issues)
-L: selinux@tycho.nsa.gov (general discussion)
+L: selinux@tycho.nsa.gov (subscribers-only, general discussion)
W: http://www.nsa.gov/selinux
S: Supported--
1.5.0.6-
From: Paul Moore <paul.moore@hp.com>
In the beginning I named the file selinux_netlabel.h to avoid potential
namespace colisions. However, over time I have realized that there are several
other similar cases of multiple header files with the same name so I'm changing
the name to something which better fits with existing naming conventions.Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
security/selinux/hooks.c | 2 +-
security/selinux/include/netlabel.h | 121 +++++++++++++++++++++++++++
security/selinux/include/selinux_netlabel.h | 121 ---------------------------
security/selinux/ss/services.c | 2 +-
4 files changed, 123 insertions(+), 123 deletions(-)
create mode 100644 security/selinux/include/netlabel.h
delete mode 100644 security/selinux/include/selinux_netlabel.hdiff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d41e24d..7f8d0b1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -77,7 +77,7 @@
#include "objsec.h"
#include "netif.h"
#include "xfrm.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"#define XATTR_SELINUX_SUFFIX "selinux"
#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
new file mode 100644
index 0000000..218e3f7
--- /dev/null
+++ b/security/selinux/include/netlabel.h
@@ -0,0 +1,121 @@
+/*
+ * SELinux interface to the NetLabel subsystem
+ *
+ * Author : Paul Moore <paul.moore@hp.com>
+ *
+ */
+
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed...
From: Paul Moore <paul.moore@hp.com>
Up until this patch the functions which have provided NetLabel support to
SELinux have been integrated into the SELinux security server, which for
various reasons is not really ideal. This patch makes an effort to extract as
much of the NetLabel support from the security server as possibile and move it
into it's own file within the SELinux directory structure.Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
net/netlabel/netlabel_kapi.c | 3 -
security/selinux/Makefile | 2 +
security/selinux/include/security.h | 24 ++
security/selinux/include/selinux_netlabel.h | 71 +++---
security/selinux/netlabel.c | 363 +++++++++++++++++++++++
security/selinux/ss/services.c | 423 ++++-----------------------
6 files changed, 481 insertions(+), 405 deletions(-)
create mode 100644 security/selinux/netlabel.cdiff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index e03a328..f2535e7 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct socket *sock,
int ret_val = -ENOENT;
struct netlbl_dom_map *dom_entry;- if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
- return -ENOENT;
-
rcu_read_lock();
dom_entry = netlbl_domhsh_getentry(secattr->domain);
if (dom_entry == NULL)
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index faf2e02..dc3502e 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.oselinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
+selinux-$(CONFIG_NETLABEL) += netlabel.o
+
EXTRA_CFLAGS += -Isecurity/selinux/includediff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 210eec7..605b071...
From: Paul Moore <paul.moore@hp.com>
This patch changes a BUG_ON in the CIPSO code to a runtime check. It should
also increase the readability of the code as it replaces an unexplained
constant with a well defined macro.Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
net/ipv4/cipso_ipv4.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index d466bd5..6afc398 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1142,7 +1142,9 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
u32 cat_size = 0;/* make sure we don't overflow the 'array[]' variable */
- BUG_ON(net_cat_len > 30);
+ if (net_cat_len >
+ (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
+ return -ENOSPC;for (;;) {
iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);
--
1.5.0.6-
From: Paul Moore <paul.moore@hp.com>
This patch collects all of the CIPSO constants and puts them in one place; it
also documents each value explaining how the value is derived.Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
net/ipv4/cipso_ipv4.c | 37 +++++++++++++++++++++++++++++--------
1 files changed, 29 insertions(+), 8 deletions(-)diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 2ce5b69..d466bd5 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -92,6 +92,33 @@ int cipso_v4_rbm_optfmt = 0;
int cipso_v4_rbm_strictvalid = 1;/*
+ * Protocol Constants
+ */
+
+/* Maximum size of the CIPSO IP option, derived from the fact that the maximum
+ * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
+#define CIPSO_V4_OPT_LEN_MAX 40
+
+/* Length of the base CIPSO option, this includes the option type (1 byte), the
+ * option length (1 byte), and the DOI (4 bytes). */
+#define CIPSO_V4_HDR_LEN 6
+
+/* Base length of the restrictive category bitmap tag (tag #1). */
+#define CIPSO_V4_TAG_RBM_BLEN 4
+
+/* Base length of the enumerated category tag (tag #2). */
+#define CIPSO_V4_TAG_ENUM_BLEN 4
+
+/* Base length of the ranged categories bitmap tag (tag #5). */
+#define CIPSO_V4_TAG_RNG_BLEN 4
+/* The maximum number of category ranges permitted in the ranged category tag
+ * (tag #5). You may note that the IETF draft states that the maximum number
+ * of category ranges is 7, but if the low end of the last category range is
+ * zero then it is possibile to fit 8 category ranges because the zero should
+ * be omitted. */
+#define CIPSO_V4_TAG_RNG_CAT_MAX 8
+
+/*
* Helper Functions
*/@@ -1109,15 +1136,12 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
unsigned char *net_cat,
u32 net_cat_len)
{
- /* The constant '16' is not random, it is ...
| Linus Torvalds | Linux 2.6.21-rc4 |
| Jens Axboe | [PATCH 0/8] IO queuing and complete affinity |
| Nicholas A. Bellinger | Re: Integration of SCST in the mainstream Linux kernel |
| Robin Lee Powell | NFS hang + umount -f: better behaviour requested. |
git: | |
| David Miller | Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Ingo Molnar | Re: [crash] BUG: unable to handle kernel NULL pointer dereference at 0000000000000... |
| Gerrit Renker | [PATCH 19/37] dccp: Header option insertion routine for feature-negotiation |
| Gary Thomas | Marvell 88E609x switch? |
| Jamie Lokier | Re: silent semantic changes with reiser4 |
| Jan Kara | [PATCH 10/16] ext4: Remove syncing logic from ext4_file_write |
| Jack Stone | Re: Versioning file system |
| Jens Axboe | [PATCH 8/8] vm: Add an tuning knob for vm.max_writeback_pages |
