forked from Minki/linux
[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
69549ddd2f
commit
5f8ac64b15
@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
|
||||
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
|
||||
err = xfrm_policy_insert(p->dir, xp, excl);
|
||||
if (err) {
|
||||
security_xfrm_policy_free(xp);
|
||||
kfree(xp);
|
||||
return err;
|
||||
}
|
||||
|
@ -238,5 +238,4 @@
|
||||
S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
|
||||
|
@ -908,8 +908,7 @@
|
||||
|
||||
#define ASSOCIATION__SENDTO 0x00000001UL
|
||||
#define ASSOCIATION__RECVFROM 0x00000002UL
|
||||
#define ASSOCIATION__RELABELFROM 0x00000004UL
|
||||
#define ASSOCIATION__RELABELTO 0x00000008UL
|
||||
#define ASSOCIATION__SETCONTEXT 0x00000004UL
|
||||
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
|
||||
|
@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
|
||||
* Must be permitted to relabel from default socket type (process type)
|
||||
* to specified context
|
||||
*/
|
||||
rc = avc_has_perm(tsec->sid, tsec->sid,
|
||||
SECCLASS_ASSOCIATION,
|
||||
ASSOCIATION__RELABELFROM, NULL);
|
||||
if (rc)
|
||||
goto out;
|
||||
|
||||
rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
|
||||
SECCLASS_ASSOCIATION,
|
||||
ASSOCIATION__RELABELTO, NULL);
|
||||
ASSOCIATION__SETCONTEXT, NULL);
|
||||
if (rc)
|
||||
goto out;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user