review.tizen.org Git - sdk/emulator/emulator-kernel.git/commit

author	Casey Schaufler <casey@schaufler-ca.com>
	Fri, 13 May 2016 07:29:54 +0000 (16:29 +0900)
committer	Jin-gyu Kim <jin-gyu.kim@samsung.com>
	Fri, 13 May 2016 07:56:26 +0000 (00:56 -0700)
commit	bfc68eeb399fc6351637b22605e23a4f54e443ec
tree	326a2f8d8dadd548e809f12f965c1895d91714a5	tree \| snapshot
parent	63454dbdfeaa6a32da77620996e1721e3b5083fa	commit \| diff

Smack: secmark support for netfilter

Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.

As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.

The best part is that the netfilter tools use contexts that
are just strings, and they work just as well for Smack as they
do for SELinux.

All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[Jin-gyu Kim: Backported from mainline]
Signed-off-by: Jin-gyu Kim <jin-gyu.kim@samsung.com>
Change-Id: I0b30ccaaca61ebf52c4fb6e128863b156524c1b6

security/smack/Kconfig		diff \| blob \| history
security/smack/Makefile		diff \| blob \| history
security/smack/smack.h		diff \| blob \| history
security/smack/smack_lsm.c		diff \| blob \| history
security/smack/smack_netfilter.c	[new file with mode: 0755]	blob