aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-04-12 22:07:52 -0400
committerDavid S. Miller <davem@davemloft.net>2008-04-12 22:07:52 -0400
commit03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b (patch)
tree1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7 /include
parent00447872a643787411c2c0cb1df6169dda8b0c47 (diff)
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h48
1 files changed, 24 insertions, 24 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index c673dfd4dffc..f5eb9ff47ac5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -910,24 +910,24 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
910 * Security hooks for XFRM operations. 910 * Security hooks for XFRM operations.
911 * 911 *
912 * @xfrm_policy_alloc_security: 912 * @xfrm_policy_alloc_security:
913 * @xp contains the xfrm_policy being added to Security Policy Database 913 * @ctxp is a pointer to the xfrm_sec_ctx being added to Security Policy
914 * used by the XFRM system. 914 * Database used by the XFRM system.
915 * @sec_ctx contains the security context information being provided by 915 * @sec_ctx contains the security context information being provided by
916 * the user-level policy update program (e.g., setkey). 916 * the user-level policy update program (e.g., setkey).
917 * Allocate a security structure to the xp->security field; the security 917 * Allocate a security structure to the xp->security field; the security
918 * field is initialized to NULL when the xfrm_policy is allocated. 918 * field is initialized to NULL when the xfrm_policy is allocated.
919 * Return 0 if operation was successful (memory to allocate, legal context) 919 * Return 0 if operation was successful (memory to allocate, legal context)
920 * @xfrm_policy_clone_security: 920 * @xfrm_policy_clone_security:
921 * @old contains an existing xfrm_policy in the SPD. 921 * @old_ctx contains an existing xfrm_sec_ctx.
922 * @new contains a new xfrm_policy being cloned from old. 922 * @new_ctxp contains a new xfrm_sec_ctx being cloned from old.
923 * Allocate a security structure to the new->security field 923 * Allocate a security structure in new_ctxp that contains the
924 * that contains the information from the old->security field. 924 * information from the old_ctx structure.
925 * Return 0 if operation was successful (memory to allocate). 925 * Return 0 if operation was successful (memory to allocate).
926 * @xfrm_policy_free_security: 926 * @xfrm_policy_free_security:
927 * @xp contains the xfrm_policy 927 * @ctx contains the xfrm_sec_ctx
928 * Deallocate xp->security. 928 * Deallocate xp->security.
929 * @xfrm_policy_delete_security: 929 * @xfrm_policy_delete_security:
930 * @xp contains the xfrm_policy. 930 * @ctx contains the xfrm_sec_ctx.
931 * Authorize deletion of xp->security. 931 * Authorize deletion of xp->security.
932 * @xfrm_state_alloc_security: 932 * @xfrm_state_alloc_security:
933 * @x contains the xfrm_state being added to the Security Association 933 * @x contains the xfrm_state being added to the Security Association
@@ -947,7 +947,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
947 * @x contains the xfrm_state. 947 * @x contains the xfrm_state.
948 * Authorize deletion of x->security. 948 * Authorize deletion of x->security.
949 * @xfrm_policy_lookup: 949 * @xfrm_policy_lookup:
950 * @xp contains the xfrm_policy for which the access control is being 950 * @ctx contains the xfrm_sec_ctx for which the access control is being
951 * checked. 951 * checked.
952 * @fl_secid contains the flow security label that is used to authorize 952 * @fl_secid contains the flow security label that is used to authorize
953 * access to the policy xp. 953 * access to the policy xp.
@@ -1454,17 +1454,17 @@ struct security_operations {
1454#endif /* CONFIG_SECURITY_NETWORK */ 1454#endif /* CONFIG_SECURITY_NETWORK */
1455 1455
1456#ifdef CONFIG_SECURITY_NETWORK_XFRM 1456#ifdef CONFIG_SECURITY_NETWORK_XFRM
1457 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, 1457 int (*xfrm_policy_alloc_security) (struct xfrm_sec_ctx **ctxp,
1458 struct xfrm_user_sec_ctx *sec_ctx); 1458 struct xfrm_user_sec_ctx *sec_ctx);
1459 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1459 int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx);
1460 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1460 void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx);
1461 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); 1461 int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx);
1462 int (*xfrm_state_alloc_security) (struct xfrm_state *x, 1462 int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1463 struct xfrm_user_sec_ctx *sec_ctx, 1463 struct xfrm_user_sec_ctx *sec_ctx,
1464 u32 secid); 1464 u32 secid);
1465 void (*xfrm_state_free_security) (struct xfrm_state *x); 1465 void (*xfrm_state_free_security) (struct xfrm_state *x);
1466 int (*xfrm_state_delete_security) (struct xfrm_state *x); 1466 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1467 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 1467 int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
1468 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, 1468 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1469 struct xfrm_policy *xp, struct flowi *fl); 1469 struct xfrm_policy *xp, struct flowi *fl);
1470 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); 1470 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
@@ -2562,16 +2562,16 @@ static inline void security_inet_conn_established(struct sock *sk,
2562 2562
2563#ifdef CONFIG_SECURITY_NETWORK_XFRM 2563#ifdef CONFIG_SECURITY_NETWORK_XFRM
2564 2564
2565int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 2565int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx);
2566int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 2566int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctxp);
2567void security_xfrm_policy_free(struct xfrm_policy *xp); 2567void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
2568int security_xfrm_policy_delete(struct xfrm_policy *xp); 2568int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
2569int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 2569int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
2570int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 2570int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
2571 struct xfrm_sec_ctx *polsec, u32 secid); 2571 struct xfrm_sec_ctx *polsec, u32 secid);
2572int security_xfrm_state_delete(struct xfrm_state *x); 2572int security_xfrm_state_delete(struct xfrm_state *x);
2573void security_xfrm_state_free(struct xfrm_state *x); 2573void security_xfrm_state_free(struct xfrm_state *x);
2574int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 2574int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
2575int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 2575int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2576 struct xfrm_policy *xp, struct flowi *fl); 2576 struct xfrm_policy *xp, struct flowi *fl);
2577int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid); 2577int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
@@ -2579,21 +2579,21 @@ void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
2579 2579
2580#else /* CONFIG_SECURITY_NETWORK_XFRM */ 2580#else /* CONFIG_SECURITY_NETWORK_XFRM */
2581 2581
2582static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 2582static inline int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
2583{ 2583{
2584 return 0; 2584 return 0;
2585} 2585}
2586 2586
2587static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 2587static inline int security_xfrm_policy_clone(struct xfrm_sec_ctx *old, struct xfrm_sec_ctx **new_ctxp)
2588{ 2588{
2589 return 0; 2589 return 0;
2590} 2590}
2591 2591
2592static inline void security_xfrm_policy_free(struct xfrm_policy *xp) 2592static inline void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
2593{ 2593{
2594} 2594}
2595 2595
2596static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) 2596static inline int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
2597{ 2597{
2598 return 0; 2598 return 0;
2599} 2599}
@@ -2619,7 +2619,7 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x)
2619 return 0; 2619 return 0;
2620} 2620}
2621 2621
2622static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) 2622static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
2623{ 2623{
2624 return 0; 2624 return 0;
2625} 2625}