[PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also

[PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also

[Venkat Yekkirala]

This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
 net/xfrm/xfrm_policy.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- net-2.6.sid5/net/xfrm/xfrm_policy.c	2006-10-05 14:36:07.000000000 -0500
+++ net-2.6/net/xfrm/xfrm_policy.c	2006-10-05 14:38:32.000000000 -0500
@@ -1013,12 +1013,16 @@ static struct xfrm_policy *xfrm_sk_polic
 						sk->sk_family);
  		int err = 0;
 
-		if (match)
-		  err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir));
-
- 		if (match && !err)
-			xfrm_pol_hold(pol);
-		else
+		if (match) {
+			err = security_xfrm_policy_lookup(pol, fl->secid,
+					policy_to_flow_dir(dir));
+			if (!err)
+				xfrm_pol_hold(pol);
+			else if (err == -ESRCH)
+				pol = NULL;
+			else
+				pol = ERR_PTR(err);
+		} else
 			pol = NULL;
 	}
 	read_unlock_bh(&xfrm_policy_lock);
@@ -1310,8 +1314,11 @@ restart:
 	pol_dead = 0;
 	xfrm_nr = 0;
 
-	if (sk && sk->sk_policy[1])
+	if (sk && sk->sk_policy[1]) {
 		policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
+		if (IS_ERR(policy))
+			return PTR_ERR(policy);
+	}
 
 	if (!policy) {
 		/* To accelerate a bit...  */
@@ -1604,8 +1611,11 @@ int __xfrm_policy_check(struct sock *sk,
 	}
 
 	pol = NULL;
-	if (sk && sk->sk_policy[dir])
+	if (sk && sk->sk_policy[dir]) {
 		pol = xfrm_sk_policy_lookup(sk, dir, &fl);
+		if (IS_ERR(pol))
+			return 0;
+	}
 
 	if (!pol)
 		pol = flow_cache_lookup(&fl, family, fl_dir,

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also

[Venkat Yekkirala]

This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
 net/xfrm/xfrm_policy.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- net-2.6.sid5/net/xfrm/xfrm_policy.c	2006-10-05 14:36:07.000000000 -0500
+++ net-2.6/net/xfrm/xfrm_policy.c	2006-10-05 14:38:32.000000000 -0500
@@ -1013,12 +1013,16 @@ static struct xfrm_policy *xfrm_sk_polic
 						sk->sk_family);
  		int err = 0;
 
-		if (match)
-		  err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir));
-
- 		if (match && !err)
-			xfrm_pol_hold(pol);
-		else
+		if (match) {
+			err = security_xfrm_policy_lookup(pol, fl->secid,
+					policy_to_flow_dir(dir));
+			if (!err)
+				xfrm_pol_hold(pol);
+			else if (err == -ESRCH)
+				pol = NULL;
+			else
+				pol = ERR_PTR(err);
+		} else
 			pol = NULL;
 	}
 	read_unlock_bh(&xfrm_policy_lock);
@@ -1310,8 +1314,11 @@ restart:
 	pol_dead = 0;
 	xfrm_nr = 0;
 
-	if (sk && sk->sk_policy[1])
+	if (sk && sk->sk_policy[1]) {
 		policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
+		if (IS_ERR(policy))
+			return PTR_ERR(policy);
+	}
 
 	if (!policy) {
 		/* To accelerate a bit...  */
@@ -1604,8 +1611,11 @@ int __xfrm_policy_check(struct sock *sk,
 	}
 
 	pol = NULL;
-	if (sk && sk->sk_policy[dir])
+	if (sk && sk->sk_policy[dir]) {
 		pol = xfrm_sk_policy_lookup(sk, dir, &fl);
+		if (IS_ERR(pol))
+			return 0;
+	}
 
 	if (!pol)
 		pol = flow_cache_lookup(&fl, family, fl_dir,

Re: [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also

[James Morris]

For future patches, please follow the recommended subject line outlined in 
http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt

e.g.  "[patch 2/5] ext2: improve scalability of bitmap searching"


Also, can you please try and figure out how to get outlook to stop 
breaking threads or switch to Thunderbird or something?  It's very 
difficult with hundreds of emails in a discussion, many of which are 
important patches to dig out.  Also, some kernel developers filter posts 
from mailers which break threads.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also

[James Morris]

For future patches, please follow the recommended subject line outlined in 
http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt

e.g.  "[patch 2/5] ext2: improve scalability of bitmap searching"


Also, can you please try and figure out how to get outlook to stop 
breaking threads or switch to Thunderbird or something?  It's very 
difficult with hundreds of emails in a discussion, many of which are 
important patches to dig out.  Also, some kernel developers filter posts 
from mailers which break threads.


- James
-- 
James Morris
<jmorris@namei.org>