linux/security/selinux/ss
Paul Moore f8687afefc [NetLabel]: protect the CIPSOv4 socket option from setsockopt()
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket.  The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents untrusted applications from setting their own
CIPSOv4 security attributes on the packets they send.  The second change is to
SELinux and it prevents applications from setting any IPv4 options when there
is an IPOPT_CIPSO option already present on the socket; this prevents
applications from removing CIPSOv4 security attributes from the packets they
send.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-30 15:24:49 -08:00
..
avtab.c [PATCH] selinux: more ARRAY_SIZE cleanups 2006-01-06 08:33:29 -08:00
avtab.h [PATCH] selinux: Reduce memory use by avtab 2005-09-05 00:05:50 -07:00
conditional.c [PATCH] SELinux: convert to kzalloc 2005-10-30 17:37:11 -08:00
conditional.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
constraint.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
context.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ebitmap.c NetLabel: better error handling involving mls_export_cat() 2006-10-15 23:14:15 -07:00
ebitmap.h [NetLabel]: SELinux support 2006-09-22 14:53:36 -07:00
hashtab.c [PATCH] SELinux: convert to kzalloc 2005-10-30 17:37:11 -08:00
hashtab.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mls_types.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mls.c NetLabel: better error handling involving mls_export_cat() 2006-10-15 23:14:15 -07:00
mls.h [NetLabel]: SELinux support 2006-09-22 14:53:36 -07:00
policydb.c SELinux: Bug fix in polidydb_destroy 2006-10-11 23:59:41 -07:00
policydb.h [PATCH] selinux: add support for range transitions on object classes 2006-09-26 08:48:52 -07:00
services.c [NetLabel]: protect the CIPSOv4 socket option from setsockopt() 2006-10-30 15:24:49 -08:00
services.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sidtab.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sidtab.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
symtab.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
symtab.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00