diff options
author | Trent Jaeger <tjaeger@cse.psu.edu> | 2006-01-06 16:22:39 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-01-06 16:22:39 -0500 |
commit | 5f8ac64b15172c7ced7d7990eb28342092bc751b (patch) | |
tree | 63046817c9a6e8db513379337f01289c045a5d63 | |
parent | 69549ddd2f894c4cead50ee2b60cc02990c389ad (diff) |
[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.
(1) free a security context on a failed insert via xfrm_user
interface in xfrm_add_policy. Memory leak.
(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto
to setcontext.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/xfrm/xfrm_user.c | 1 | ||||
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 3 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 3 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 8 |
4 files changed, 4 insertions, 11 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 92e2b804c606..ac87a09ba83e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr | |||
802 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 802 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
803 | err = xfrm_policy_insert(p->dir, xp, excl); | 803 | err = xfrm_policy_insert(p->dir, xp, excl); |
804 | if (err) { | 804 | if (err) { |
805 | security_xfrm_policy_free(xp); | ||
805 | kfree(xp); | 806 | kfree(xp); |
806 | return err; | 807 | return err; |
807 | } | 808 | } |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 71aeb12f07c8..591e98d9315a 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
@@ -238,5 +238,4 @@ | |||
238 | S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") | 238 | S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") |
239 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") | 239 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") |
240 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") | 240 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") |
241 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom") | 241 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") |
242 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto") | ||
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index d1d0996049e3..d7f02edf3930 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -908,8 +908,7 @@ | |||
908 | 908 | ||
909 | #define ASSOCIATION__SENDTO 0x00000001UL | 909 | #define ASSOCIATION__SENDTO 0x00000001UL |
910 | #define ASSOCIATION__RECVFROM 0x00000002UL | 910 | #define ASSOCIATION__RECVFROM 0x00000002UL |
911 | #define ASSOCIATION__RELABELFROM 0x00000004UL | 911 | #define ASSOCIATION__SETCONTEXT 0x00000004UL |
912 | #define ASSOCIATION__RELABELTO 0x00000008UL | ||
913 | 912 | ||
914 | #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL | 913 | #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL |
915 | #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL | 914 | #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c4d87d4dca7b..5b7776504e4c 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us | |||
137 | * Must be permitted to relabel from default socket type (process type) | 137 | * Must be permitted to relabel from default socket type (process type) |
138 | * to specified context | 138 | * to specified context |
139 | */ | 139 | */ |
140 | rc = avc_has_perm(tsec->sid, tsec->sid, | ||
141 | SECCLASS_ASSOCIATION, | ||
142 | ASSOCIATION__RELABELFROM, NULL); | ||
143 | if (rc) | ||
144 | goto out; | ||
145 | |||
146 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 140 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
147 | SECCLASS_ASSOCIATION, | 141 | SECCLASS_ASSOCIATION, |
148 | ASSOCIATION__RELABELTO, NULL); | 142 | ASSOCIATION__SETCONTEXT, NULL); |
149 | if (rc) | 143 | if (rc) |
150 | goto out; | 144 | goto out; |
151 | 145 | ||