From: Venkat Yekkirala <vyekkirala@trustedcs•com>
To: netdev@vger•kernel.org
Cc: selinux@tycho•nsa.gov, jmorris@namei•org, sds@tycho•nsa.gov,
eparis@redhat•com, johnpol@2ka•mipt.ru,
herbert@gondor•apana.org.au
Subject: [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also
Date: Thu, 05 Oct 2006 15:42:35 -0500 [thread overview]
Message-ID: <45256E3B.7070508@trustedcs.com> (raw)
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS•com>
---
net/xfrm/xfrm_policy.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- net-2.6.sid5/net/xfrm/xfrm_policy.c 2006-10-05 14:36:07.000000000 -0500
+++ net-2.6/net/xfrm/xfrm_policy.c 2006-10-05 14:38:32.000000000 -0500
@@ -1013,12 +1013,16 @@ static struct xfrm_policy *xfrm_sk_polic
sk->sk_family);
int err = 0;
- if (match)
- err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir));
-
- if (match && !err)
- xfrm_pol_hold(pol);
- else
+ if (match) {
+ err = security_xfrm_policy_lookup(pol, fl->secid,
+ policy_to_flow_dir(dir));
+ if (!err)
+ xfrm_pol_hold(pol);
+ else if (err == -ESRCH)
+ pol = NULL;
+ else
+ pol = ERR_PTR(err);
+ } else
pol = NULL;
}
read_unlock_bh(&xfrm_policy_lock);
@@ -1310,8 +1314,11 @@ restart:
pol_dead = 0;
xfrm_nr = 0;
- if (sk && sk->sk_policy[1])
+ if (sk && sk->sk_policy[1]) {
policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
+ if (IS_ERR(policy))
+ return PTR_ERR(policy);
+ }
if (!policy) {
/* To accelerate a bit... */
@@ -1604,8 +1611,11 @@ int __xfrm_policy_check(struct sock *sk,
}
pol = NULL;
- if (sk && sk->sk_policy[dir])
+ if (sk && sk->sk_policy[dir]) {
pol = xfrm_sk_policy_lookup(sk, dir, &fl);
+ if (IS_ERR(pol))
+ return 0;
+ }
if (!pol)
pol = flow_cache_lookup(&fl, family, fl_dir,
next reply other threads:[~2006-10-05 20:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-05 20:42 Venkat Yekkirala [this message]
2006-10-05 23:53 ` [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45256E3B.7070508@trustedcs.com \
--to=vyekkirala@trustedcs$(echo .)com \
--cc=eparis@redhat$(echo .)com \
--cc=herbert@gondor$(echo .)apana.org.au \
--cc=jmorris@namei$(echo .)org \
--cc=johnpol@2ka$(echo .)mipt.ru \
--cc=netdev@vger$(echo .)kernel.org \
--cc=sds@tycho$(echo .)nsa.gov \
--cc=selinux@tycho$(echo .)nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox