From: Paul Moore <pmoore@redhat.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: omoris@redhat.com, pwouters@redhat.com
Subject: [PATCH v3 2/2] selinux: fix the labeled xfrm/IPsec reference count handling
Date: Wed, 29 May 2013 13:36:32 -0400 [thread overview]
Message-ID: <20130529173632.31888.39884.stgit@localhost> (raw)
In-Reply-To: <20130529173336.31888.29695.stgit@localhost>
The SELinux labeled IPsec code was improperly handling its reference
counting, dropping a reference on a delete operation instead of on a
free/release operation.
Reported-by: Ondrej Moris <omoris@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/xfrm.c | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8ab2951..d030818 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -316,6 +316,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
+ atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
}
return 0;
@@ -326,6 +327,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
+ atomic_dec(&selinux_xfrm_refcount);
kfree(ctx);
}
@@ -335,17 +337,13 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
const struct task_security_struct *tsec = current_security();
- int rc = 0;
- if (ctx) {
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__SETCONTEXT, NULL);
- if (rc == 0)
- atomic_dec(&selinux_xfrm_refcount);
- }
+ if (!ctx)
+ return 0;
- return rc;
+ return avc_has_perm(tsec->sid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
}
/*
@@ -370,8 +368,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
*/
void selinux_xfrm_state_free(struct xfrm_state *x)
{
- struct xfrm_sec_ctx *ctx = x->security;
- kfree(ctx);
+ atomic_dec(&selinux_xfrm_refcount);
+ kfree(x->security);
}
/*
@@ -381,17 +379,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
{
const struct task_security_struct *tsec = current_security();
struct xfrm_sec_ctx *ctx = x->security;
- int rc = 0;
- if (ctx) {
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__SETCONTEXT, NULL);
- if (rc == 0)
- atomic_dec(&selinux_xfrm_refcount);
- }
+ if (!ctx)
+ return 0;
- return rc;
+ return avc_has_perm(tsec->sid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
}
/*
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <pmoore@redhat.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: omoris@redhat.com, pwouters@redhat.com
Subject: [PATCH v3 2/2] selinux: fix the labeled xfrm/IPsec reference count handling
Date: Wed, 29 May 2013 13:36:32 -0400 [thread overview]
Message-ID: <20130529173632.31888.39884.stgit@localhost> (raw)
In-Reply-To: <20130529173336.31888.29695.stgit@localhost>
The SELinux labeled IPsec code was improperly handling its reference
counting, dropping a reference on a delete operation instead of on a
free/release operation.
Reported-by: Ondrej Moris <omoris@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/xfrm.c | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8ab2951..d030818 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -316,6 +316,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
+ atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
}
return 0;
@@ -326,6 +327,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
+ atomic_dec(&selinux_xfrm_refcount);
kfree(ctx);
}
@@ -335,17 +337,13 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
const struct task_security_struct *tsec = current_security();
- int rc = 0;
- if (ctx) {
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__SETCONTEXT, NULL);
- if (rc == 0)
- atomic_dec(&selinux_xfrm_refcount);
- }
+ if (!ctx)
+ return 0;
- return rc;
+ return avc_has_perm(tsec->sid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
}
/*
@@ -370,8 +368,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct
*/
void selinux_xfrm_state_free(struct xfrm_state *x)
{
- struct xfrm_sec_ctx *ctx = x->security;
- kfree(ctx);
+ atomic_dec(&selinux_xfrm_refcount);
+ kfree(x->security);
}
/*
@@ -381,17 +379,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
{
const struct task_security_struct *tsec = current_security();
struct xfrm_sec_ctx *ctx = x->security;
- int rc = 0;
- if (ctx) {
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
- SECCLASS_ASSOCIATION,
- ASSOCIATION__SETCONTEXT, NULL);
- if (rc == 0)
- atomic_dec(&selinux_xfrm_refcount);
- }
+ if (!ctx)
+ return 0;
- return rc;
+ return avc_has_perm(tsec->sid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
+ NULL);
}
/*
next prev parent reply other threads:[~2013-05-29 17:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-29 17:36 [PATCH v3 0/2] Fix the SELinux dynamic network access controls Paul Moore
2013-05-29 17:36 ` Paul Moore
2013-05-29 17:36 ` [PATCH v3 1/2] xfrm: force a garbage collection after deleting a policy Paul Moore
2013-05-29 17:36 ` Paul Moore
2013-05-29 17:36 ` Paul Moore [this message]
2013-05-29 17:36 ` [PATCH v3 2/2] selinux: fix the labeled xfrm/IPsec reference count handling Paul Moore
2013-06-01 0:31 ` [PATCH v3 0/2] Fix the SELinux dynamic network access controls David Miller
2013-06-03 15:11 ` Paul Moore
2013-06-03 15:11 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130529173632.31888.39884.stgit@localhost \
--to=pmoore@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=omoris@redhat.com \
--cc=pwouters@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.