diff options
| author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:32:20 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:28 -0400 |
| commit | cb969f072b6d67770b559617f14e767f47e77ece (patch) | |
| tree | 4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /net/key/af_key.c | |
| parent | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff) | |
[MLSXFRM]: Default labeling of socket specific IPSec policies
This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/key/af_key.c')
| -rw-r--r-- | net/key/af_key.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index a065e1a67773..797c744a8438 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
| @@ -2843,14 +2843,14 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct | |||
| 2843 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); | 2843 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); |
| 2844 | } | 2844 | } |
| 2845 | 2845 | ||
| 2846 | static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | 2846 | static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, |
| 2847 | u8 *data, int len, int *dir) | 2847 | u8 *data, int len, int *dir) |
| 2848 | { | 2848 | { |
| 2849 | struct xfrm_policy *xp; | 2849 | struct xfrm_policy *xp; |
| 2850 | struct sadb_x_policy *pol = (struct sadb_x_policy*)data; | 2850 | struct sadb_x_policy *pol = (struct sadb_x_policy*)data; |
| 2851 | struct sadb_x_sec_ctx *sec_ctx; | 2851 | struct sadb_x_sec_ctx *sec_ctx; |
| 2852 | 2852 | ||
| 2853 | switch (family) { | 2853 | switch (sk->sk_family) { |
| 2854 | case AF_INET: | 2854 | case AF_INET: |
| 2855 | if (opt != IP_IPSEC_POLICY) { | 2855 | if (opt != IP_IPSEC_POLICY) { |
| 2856 | *dir = -EOPNOTSUPP; | 2856 | *dir = -EOPNOTSUPP; |
| @@ -2891,7 +2891,7 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
| 2891 | xp->lft.hard_byte_limit = XFRM_INF; | 2891 | xp->lft.hard_byte_limit = XFRM_INF; |
| 2892 | xp->lft.soft_packet_limit = XFRM_INF; | 2892 | xp->lft.soft_packet_limit = XFRM_INF; |
| 2893 | xp->lft.hard_packet_limit = XFRM_INF; | 2893 | xp->lft.hard_packet_limit = XFRM_INF; |
| 2894 | xp->family = family; | 2894 | xp->family = sk->sk_family; |
| 2895 | 2895 | ||
| 2896 | xp->xfrm_nr = 0; | 2896 | xp->xfrm_nr = 0; |
| 2897 | if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC && | 2897 | if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC && |
| @@ -2907,8 +2907,10 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
| 2907 | p += pol->sadb_x_policy_len*8; | 2907 | p += pol->sadb_x_policy_len*8; |
| 2908 | sec_ctx = (struct sadb_x_sec_ctx *)p; | 2908 | sec_ctx = (struct sadb_x_sec_ctx *)p; |
| 2909 | if (len < pol->sadb_x_policy_len*8 + | 2909 | if (len < pol->sadb_x_policy_len*8 + |
| 2910 | sec_ctx->sadb_x_sec_len) | 2910 | sec_ctx->sadb_x_sec_len) { |
| 2911 | *dir = -EINVAL; | ||
| 2911 | goto out; | 2912 | goto out; |
| 2913 | } | ||
| 2912 | if ((*dir = verify_sec_ctx_len(p))) | 2914 | if ((*dir = verify_sec_ctx_len(p))) |
| 2913 | goto out; | 2915 | goto out; |
| 2914 | uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx); | 2916 | uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx); |
| @@ -2918,6 +2920,11 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
| 2918 | if (*dir) | 2920 | if (*dir) |
| 2919 | goto out; | 2921 | goto out; |
| 2920 | } | 2922 | } |
| 2923 | else { | ||
| 2924 | *dir = security_xfrm_sock_policy_alloc(xp, sk); | ||
| 2925 | if (*dir) | ||
| 2926 | goto out; | ||
| 2927 | } | ||
| 2921 | 2928 | ||
| 2922 | *dir = pol->sadb_x_policy_dir-1; | 2929 | *dir = pol->sadb_x_policy_dir-1; |
| 2923 | return xp; | 2930 | return xp; |