xfrm: Add security check before flushing SAD/SPD

Currently we check for permission before deleting entries from SAD and SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete()) However we are not checking for authorization when flushing the SPD and the SAD completely. It was perhaps missed in the original security hooks patch. This patch adds a security check when flushing entries from the SAD and SPD. It runs the entire database and checks each entry for a denial. If the process attempting the flush is unable to remove all of the entries a denial is logged the the flush function returns an error without removing anything. This is particularly useful when a process may need to create or delete its own xfrm entries used for things like labeled networking but that same process should not be able to delete other entries or flush the entire database. Signed-off-by: Joy Latten<latten@austin.ibm.com> Signed-off-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
author: Joy Latten <latten@austin.ibm.com> 2007-06-04 19:05:57 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2007-06-07 16:42:46 -0400
commit: 4aa2e62c45b5ca08be2d0d3c0744d7585b56e860 (patch)
tree: 16649593d55f3df4dac54227fcda28bb4fb49f17 /net/xfrm/xfrm_policy.c
parent: b00b4bf94edb42852d55619af453588b2de2dc5e (diff)
1 files changed, 60 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 64a375178c5f..157bfbd250ba 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -834,11 +834,67 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete,
 }
 EXPORT_SYMBOL(xfrm_policy_byid);
-void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+static inline int
+xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
 {
-        int dir;
+        int dir, err = 0;
+        for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+                struct xfrm_policy *pol;
+                struct hlist_node *entry;
+                int i;
+                hlist_for_each_entry(pol, entry,
+                                     &xfrm_policy_inexact[dir], bydst) {
+                        if (pol->type != type)
+                                continue;
+                        err = security_xfrm_policy_delete(pol);
+                        if (err) {
+                                xfrm_audit_log(audit_info->loginuid,
+                                               audit_info->secid,
+                                               AUDIT_MAC_IPSEC_DELSPD, 0,
+                                               pol, NULL);
+                                return err;
+                        }
+                }
+                for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
+                        hlist_for_each_entry(pol, entry,
+                                             xfrm_policy_bydst[dir].table + i,
+                                             bydst) {
+                                if (pol->type != type)
+                                        continue;
+                                err = security_xfrm_policy_delete(pol);
+                                if (err) {
+                                        xfrm_audit_log(audit_info->loginuid,
+                                                       audit_info->secid,
+                                                       AUDIT_MAC_IPSEC_DELSPD,
+                                                       0, pol, NULL);
+                                        return err;
+                                }
+                        }
+                }
+        }
+        return err;
+}
+#else
+static inline int
+xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
+{
+        return 0;
+}
+#endif
+int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
+{
+        int dir, err = 0;
        write_lock_bh(&xfrm_policy_lock);
+        err = xfrm_policy_flush_secctx_check(type, audit_info);
+        if (err)
+                goto out;
        for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
                struct xfrm_policy *pol;
                struct hlist_node *entry;
@@ -891,7 +947,9 @@ void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
                xfrm_policy_count[dir] -= killed;
        }
        atomic_inc(&flow_cache_genid);
+out:
        write_unlock_bh(&xfrm_policy_lock);
+        return err;
 }
 EXPORT_SYMBOL(xfrm_policy_flush);
@@ -2583,4 +2641,3 @@ restore_state:
 }
 EXPORT_SYMBOL(xfrm_migrate);
 #endif
author	Joy Latten <latten@austin.ibm.com>	2007-06-04 19:05:57 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2007-06-07 16:42:46 -0400
commit	4aa2e62c45b5ca08be2d0d3c0744d7585b56e860 (patch)
tree	16649593d55f3df4dac54227fcda28bb4fb49f17 /net/xfrm/xfrm_policy.c
parent	b00b4bf94edb42852d55619af453588b2de2dc5e (diff)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 64a375178c5f..157bfbd250ba 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c
@@ -834,11 +834,67 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete,
834	}	834	}
835	EXPORT_SYMBOL(xfrm_policy_byid);	835	EXPORT_SYMBOL(xfrm_policy_byid);
836		836
837	void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)	837	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		838	static inline int
		839	xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
838	{	840	{
839	int dir;	841	int dir, err = 0;
		842
		843	for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
		844	struct xfrm_policy *pol;
		845	struct hlist_node *entry;
		846	int i;
		847
		848	hlist_for_each_entry(pol, entry,
		849	&xfrm_policy_inexact[dir], bydst) {
		850	if (pol->type != type)
		851	continue;
		852	err = security_xfrm_policy_delete(pol);
		853	if (err) {
		854	xfrm_audit_log(audit_info->loginuid,
		855	audit_info->secid,
		856	AUDIT_MAC_IPSEC_DELSPD, 0,
		857	pol, NULL);
		858	return err;
		859	}
		860	}
		861	for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
		862	hlist_for_each_entry(pol, entry,
		863	xfrm_policy_bydst[dir].table + i,
		864	bydst) {
		865	if (pol->type != type)
		866	continue;
		867	err = security_xfrm_policy_delete(pol);
		868	if (err) {
		869	xfrm_audit_log(audit_info->loginuid,
		870	audit_info->secid,
		871	AUDIT_MAC_IPSEC_DELSPD,
		872	0, pol, NULL);
		873	return err;
		874	}
		875	}
		876	}
		877	}
		878	return err;
		879	}
		880	#else
		881	static inline int
		882	xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
		883	{
		884	return 0;
		885	}
		886	#endif
		887
		888	int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
		889	{
		890	int dir, err = 0;
840		891
841	write_lock_bh(&xfrm_policy_lock);	892	write_lock_bh(&xfrm_policy_lock);
		893
		894	err = xfrm_policy_flush_secctx_check(type, audit_info);
		895	if (err)
		896	goto out;
		897
842	for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {	898	for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
843	struct xfrm_policy *pol;	899	struct xfrm_policy *pol;
844	struct hlist_node *entry;	900	struct hlist_node *entry;
@@ -891,7 +947,9 @@ void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
891	xfrm_policy_count[dir] -= killed;	947	xfrm_policy_count[dir] -= killed;
892	}	948	}
893	atomic_inc(&flow_cache_genid);	949	atomic_inc(&flow_cache_genid);
		950	out:
894	write_unlock_bh(&xfrm_policy_lock);	951	write_unlock_bh(&xfrm_policy_lock);
		952	return err;
895	}	953	}
896	EXPORT_SYMBOL(xfrm_policy_flush);	954	EXPORT_SYMBOL(xfrm_policy_flush);
897		955
@@ -2583,4 +2641,3 @@ restore_state:
2583	}	2641	}
2584	EXPORT_SYMBOL(xfrm_migrate);	2642	EXPORT_SYMBOL(xfrm_migrate);
2585	#endif	2643	#endif
2586