[PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[Venkat Yekkirala]

This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
failure.

 include/linux/security.h        |   24 ++-----
 include/net/flow.h              |    2 
 include/net/xfrm.h              |    3 
 net/core/flow.c                 |   42 ++++++++----
 net/ipv4/xfrm4_policy.c         |    2 
 net/ipv6/xfrm6_policy.c         |    2 
 net/key/af_key.c                |    5 -
 net/xfrm/xfrm_policy.c          |  101 ++++++++++++++++++++++--------
 net/xfrm/xfrm_user.c            |    9 --
 security/dummy.c                |    3 
 security/selinux/include/xfrm.h |    3 
 security/selinux/xfrm.c         |   53 ++++++++++++---
 12 files changed, 162 insertions(+), 87 deletions(-)

Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[David Miller]

From: Venkat Yekkirala <vyekkirala@trustedcs.com>
Date: Thu, 05 Oct 2006 15:42:13 -0500

> This version takes into account David Miller's comments
> regarding treatment of security layer errors in the case
> of socket policies. Specifically, these errors will be
> treated like how these kind of errors are treated for
> the main/sub policies, which is to return a full lookup
> failure.

I only have patches "1" and "3" in my inbox, did you forget
to send the second one out or are they simply misnumbered?

RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[Venkat Yekkirala]

> > This version takes into account David Miller's comments
> > regarding treatment of security layer errors in the case
> > of socket policies. Specifically, these errors will be
> > treated like how these kind of errors are treated for
> > the main/sub policies, which is to return a full lookup
> > failure.
> 
> I only have patches "1" and "3" in my inbox, did you forget
> to send the second one out or are they simply misnumbered?
> 

My apologies. The second one is also numbered 1, but has the
following distinct subject line:
[PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03: Fix xfrm code

RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[Venkat Yekkirala]

> > > This version takes into account David Miller's comments
> > > regarding treatment of security layer errors in the case
> > > of socket policies. Specifically, these errors will be
> > > treated like how these kind of errors are treated for
> > > the main/sub policies, which is to return a full lookup
> > > failure.
> > 
> > I only have patches "1" and "3" in my inbox, did you forget
> > to send the second one out or are they simply misnumbered?
> > 
> 
> My apologies. The second one is also numbered 1, but has the
> following distinct subject line:
> [PATCH 1/3] Fix for IPsec leakage with SELinux enabled - 
> V.03: Fix xfrm code

In actuality, patch 2 in the series has the following subject line:

[PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03

Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[David Miller]

From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Date: Thu, 5 Oct 2006 17:07:59 -0400 

> My apologies. The second one is also numbered 1, but has the
> following distinct subject line:
> [PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03: Fix xfrm code

I definitely deleted one of them, since I usually get N copies
of very single patch posting and two of them looked identical:)

Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[James Morris]

These patches look ok to me.  I've tested them and applied them to the git 
tree [1].

Stephen, please let me know if you see any problems.


-- 
James Morris
<jmorris@namei.org>


[1] Git - git://git.infradead.org/~jmorris/selinux-2.6.git
Web - http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary

Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[Evgeniy Polyakov]

On Thu, Oct 05, 2006 at 03:42:13PM -0500, Venkat Yekkirala (vyekkirala@trustedcs.com) wrote:
> This version takes into account David Miller's comments
> regarding treatment of security layer errors in the case
> of socket policies. Specifically, these errors will be
> treated like how these kind of errors are treated for
> the main/sub policies, which is to return a full lookup
> failure.

I applied all three patches and rerun my acrypto tests, which do not
show any unencrypted packets anymore, so I ack this changes since they
fix the problem.
Thanks.

-- 
	Evgeniy Polyakov

RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03

[Venkat Yekkirala]

> > My apologies. The second one is also numbered 1, but has the
> > following distinct subject line:
> > [PATCH 1/3] Fix for IPsec leakage with SELinux enabled - 
> V.03: Fix xfrm code
> 
> I definitely deleted one of them, since I usually get N copies
> of very single patch posting and two of them looked identical:)

I guess this is probably the reason why I don't see the fix in net-2.6.git
yet :) I will resend the patchset with the subject titles fixed up since
it needs to be in 2.6.19.