* [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also
@ 2006-10-05 20:42 Venkat Yekkirala
2006-10-05 23:53 ` James Morris
0 siblings, 1 reply; 2+ messages in thread
From: Venkat Yekkirala @ 2006-10-05 20:42 UTC (permalink / raw)
To: netdev; +Cc: selinux, jmorris, sds, eparis, johnpol, herbert
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
net/xfrm/xfrm_policy.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- net-2.6.sid5/net/xfrm/xfrm_policy.c 2006-10-05 14:36:07.000000000 -0500
+++ net-2.6/net/xfrm/xfrm_policy.c 2006-10-05 14:38:32.000000000 -0500
@@ -1013,12 +1013,16 @@ static struct xfrm_policy *xfrm_sk_polic
sk->sk_family);
int err = 0;
- if (match)
- err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir));
-
- if (match && !err)
- xfrm_pol_hold(pol);
- else
+ if (match) {
+ err = security_xfrm_policy_lookup(pol, fl->secid,
+ policy_to_flow_dir(dir));
+ if (!err)
+ xfrm_pol_hold(pol);
+ else if (err == -ESRCH)
+ pol = NULL;
+ else
+ pol = ERR_PTR(err);
+ } else
pol = NULL;
}
read_unlock_bh(&xfrm_policy_lock);
@@ -1310,8 +1314,11 @@ restart:
pol_dead = 0;
xfrm_nr = 0;
- if (sk && sk->sk_policy[1])
+ if (sk && sk->sk_policy[1]) {
policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
+ if (IS_ERR(policy))
+ return PTR_ERR(policy);
+ }
if (!policy) {
/* To accelerate a bit... */
@@ -1604,8 +1611,11 @@ int __xfrm_policy_check(struct sock *sk,
}
pol = NULL;
- if (sk && sk->sk_policy[dir])
+ if (sk && sk->sk_policy[dir]) {
pol = xfrm_sk_policy_lookup(sk, dir, &fl);
+ if (IS_ERR(pol))
+ return 0;
+ }
if (!pol)
pol = flow_cache_lookup(&fl, family, fl_dir,
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also
2006-10-05 20:42 [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also Venkat Yekkirala
@ 2006-10-05 23:53 ` James Morris
0 siblings, 0 replies; 2+ messages in thread
From: James Morris @ 2006-10-05 23:53 UTC (permalink / raw)
To: Venkat Yekkirala; +Cc: netdev, selinux, sds, eparis, johnpol, herbert
For future patches, please follow the recommended subject line outlined in
http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt
e.g. "[patch 2/5] ext2: improve scalability of bitmap searching"
Also, can you please try and figure out how to get outlook to stop
breaking threads or switch to Thunderbird or something? It's very
difficult with hundreds of emails in a discussion, many of which are
important patches to dig out. Also, some kernel developers filter posts
from mailers which break threads.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-05 23:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05 20:42 [PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.03: Process security errors for scket policies also Venkat Yekkirala
2006-10-05 23:53 ` James Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).