diff options
author | Catherine Zhang <cxzhang@watson.ibm.com> | 2006-08-02 17:12:06 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-08-02 17:12:06 -0400 |
commit | dc49c1f94e3469d94b952e8f5160dd4ccd791d79 (patch) | |
tree | e47b1974c262a03dbabf0a148325d9089817e78e /net/ipv4 | |
parent | 2b7e24b66d31d677d76b49918e711eb360c978b6 (diff) |
[AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch
From: Catherine Zhang <cxzhang@watson.ibm.com>
This patch implements a cleaner fix for the memory leak problem of the
original unix datagram getpeersec patch. Instead of creating a
security context each time a unix datagram is sent, we only create the
security context when the receiver requests it.
This new design requires modification of the current
unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,
secid_to_secctx and release_secctx. The former retrieves the security
context and the latter releases it. A hook is required for releasing
the security context because it is up to the security module to decide
how that's done. In the case of Selinux, it's a simple kfree
operation.
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/ip_sockglue.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 84f43a3c9098..2d05c4133d3e 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c | |||
@@ -112,14 +112,19 @@ static void ip_cmsg_recv_retopts(struct msghdr *msg, struct sk_buff *skb) | |||
112 | static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) | 112 | static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) |
113 | { | 113 | { |
114 | char *secdata; | 114 | char *secdata; |
115 | u32 seclen; | 115 | u32 seclen, secid; |
116 | int err; | 116 | int err; |
117 | 117 | ||
118 | err = security_socket_getpeersec_dgram(skb, &secdata, &seclen); | 118 | err = security_socket_getpeersec_dgram(NULL, skb, &secid); |
119 | if (err) | ||
120 | return; | ||
121 | |||
122 | err = security_secid_to_secctx(secid, &secdata, &seclen); | ||
119 | if (err) | 123 | if (err) |
120 | return; | 124 | return; |
121 | 125 | ||
122 | put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); | 126 | put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); |
127 | security_release_secctx(secdata, seclen); | ||
123 | } | 128 | } |
124 | 129 | ||
125 | 130 | ||