aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrent Jaeger <tjaeger@cse.psu.edu>2006-01-06 16:22:39 -0500
committerDavid S. Miller <davem@davemloft.net>2006-01-06 16:22:39 -0500
commit5f8ac64b15172c7ced7d7990eb28342092bc751b (patch)
tree63046817c9a6e8db513379337f01289c045a5d63
parent69549ddd2f894c4cead50ee2b60cc02990c389ad (diff)
[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/xfrm/xfrm_user.c1
-rw-r--r--security/selinux/include/av_perm_to_string.h3
-rw-r--r--security/selinux/include/av_permissions.h3
-rw-r--r--security/selinux/xfrm.c8
4 files changed, 4 insertions, 11 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 92e2b804c606..ac87a09ba83e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
802 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 802 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
803 err = xfrm_policy_insert(p->dir, xp, excl); 803 err = xfrm_policy_insert(p->dir, xp, excl);
804 if (err) { 804 if (err) {
805 security_xfrm_policy_free(xp);
805 kfree(xp); 806 kfree(xp);
806 return err; 807 return err;
807 } 808 }
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 71aeb12f07c8..591e98d9315a 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -238,5 +238,4 @@
238 S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") 238 S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
239 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") 239 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
240 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") 240 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
241 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom") 241 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
242 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index d1d0996049e3..d7f02edf3930 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -908,8 +908,7 @@
908 908
909#define ASSOCIATION__SENDTO 0x00000001UL 909#define ASSOCIATION__SENDTO 0x00000001UL
910#define ASSOCIATION__RECVFROM 0x00000002UL 910#define ASSOCIATION__RECVFROM 0x00000002UL
911#define ASSOCIATION__RELABELFROM 0x00000004UL 911#define ASSOCIATION__SETCONTEXT 0x00000004UL
912#define ASSOCIATION__RELABELTO 0x00000008UL
913 912
914#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL 913#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
915#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL 914#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c4d87d4dca7b..5b7776504e4c 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
137 * Must be permitted to relabel from default socket type (process type) 137 * Must be permitted to relabel from default socket type (process type)
138 * to specified context 138 * to specified context
139 */ 139 */
140 rc = avc_has_perm(tsec->sid, tsec->sid,
141 SECCLASS_ASSOCIATION,
142 ASSOCIATION__RELABELFROM, NULL);
143 if (rc)
144 goto out;
145
146 rc = avc_has_perm(tsec->sid, ctx->ctx_sid, 140 rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
147 SECCLASS_ASSOCIATION, 141 SECCLASS_ASSOCIATION,
148 ASSOCIATION__RELABELTO, NULL); 142 ASSOCIATION__SETCONTEXT, NULL);
149 if (rc) 143 if (rc)
150 goto out; 144 goto out;
151 145