diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-04-12 22:07:52 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-04-12 22:07:52 -0400 |
| commit | 03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b (patch) | |
| tree | 1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7 /security/security.c | |
| parent | 00447872a643787411c2c0cb1df6169dda8b0c47 (diff) | |
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs
on the stack to work around the LSM API. This patch attempts to fix that
problem by changing the LSM API to require only the relevant "security"
pointers instead of the entire SPD entry; we do this for all of the
security_xfrm_policy*() functions to keep things consistent.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/security/security.c b/security/security.c index b1387a6b416..c9ff7d18c2f 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -1014,26 +1014,27 @@ void security_inet_conn_established(struct sock *sk, | |||
| 1014 | 1014 | ||
| 1015 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1015 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
| 1016 | 1016 | ||
| 1017 | int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) | 1017 | int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx) |
| 1018 | { | 1018 | { |
| 1019 | return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); | 1019 | return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx); |
| 1020 | } | 1020 | } |
| 1021 | EXPORT_SYMBOL(security_xfrm_policy_alloc); | 1021 | EXPORT_SYMBOL(security_xfrm_policy_alloc); |
| 1022 | 1022 | ||
| 1023 | int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) | 1023 | int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, |
| 1024 | struct xfrm_sec_ctx **new_ctxp) | ||
| 1024 | { | 1025 | { |
| 1025 | return security_ops->xfrm_policy_clone_security(old, new); | 1026 | return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp); |
| 1026 | } | 1027 | } |
| 1027 | 1028 | ||
| 1028 | void security_xfrm_policy_free(struct xfrm_policy *xp) | 1029 | void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) |
| 1029 | { | 1030 | { |
| 1030 | security_ops->xfrm_policy_free_security(xp); | 1031 | security_ops->xfrm_policy_free_security(ctx); |
| 1031 | } | 1032 | } |
| 1032 | EXPORT_SYMBOL(security_xfrm_policy_free); | 1033 | EXPORT_SYMBOL(security_xfrm_policy_free); |
| 1033 | 1034 | ||
| 1034 | int security_xfrm_policy_delete(struct xfrm_policy *xp) | 1035 | int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) |
| 1035 | { | 1036 | { |
| 1036 | return security_ops->xfrm_policy_delete_security(xp); | 1037 | return security_ops->xfrm_policy_delete_security(ctx); |
| 1037 | } | 1038 | } |
| 1038 | 1039 | ||
| 1039 | int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) | 1040 | int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) |
| @@ -1065,9 +1066,9 @@ void security_xfrm_state_free(struct xfrm_state *x) | |||
| 1065 | security_ops->xfrm_state_free_security(x); | 1066 | security_ops->xfrm_state_free_security(x); |
| 1066 | } | 1067 | } |
| 1067 | 1068 | ||
| 1068 | int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) | 1069 | int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) |
| 1069 | { | 1070 | { |
| 1070 | return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); | 1071 | return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir); |
| 1071 | } | 1072 | } |
| 1072 | 1073 | ||
| 1073 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | 1074 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, |