diff options
| author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:29:07 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:24 -0400 |
| commit | e0d1caa7b0d5f02e4f34aa09c695d04251310c6c (patch) | |
| tree | bf023c17abf6813f2694ebf5fafff82edd6a1023 /net/xfrm/xfrm_state.c | |
| parent | b6340fcd761acf9249b3acbc95c4dc555d9beb07 (diff) | |
[MLSXFRM]: Flow based matching of xfrm policy and state
This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_state.c')
| -rw-r--r-- | net/xfrm/xfrm_state.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 0021aad5db43..be02bd981d12 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
| @@ -367,7 +367,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, | |||
| 367 | */ | 367 | */ |
| 368 | if (x->km.state == XFRM_STATE_VALID) { | 368 | if (x->km.state == XFRM_STATE_VALID) { |
| 369 | if (!xfrm_selector_match(&x->sel, fl, family) || | 369 | if (!xfrm_selector_match(&x->sel, fl, family) || |
| 370 | !xfrm_sec_ctx_match(pol->security, x->security)) | 370 | !security_xfrm_state_pol_flow_match(x, pol, fl)) |
| 371 | continue; | 371 | continue; |
| 372 | if (!best || | 372 | if (!best || |
| 373 | best->km.dying > x->km.dying || | 373 | best->km.dying > x->km.dying || |
| @@ -379,7 +379,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, | |||
| 379 | } else if (x->km.state == XFRM_STATE_ERROR || | 379 | } else if (x->km.state == XFRM_STATE_ERROR || |
| 380 | x->km.state == XFRM_STATE_EXPIRED) { | 380 | x->km.state == XFRM_STATE_EXPIRED) { |
| 381 | if (xfrm_selector_match(&x->sel, fl, family) && | 381 | if (xfrm_selector_match(&x->sel, fl, family) && |
| 382 | xfrm_sec_ctx_match(pol->security, x->security)) | 382 | security_xfrm_state_pol_flow_match(x, pol, fl)) |
| 383 | error = -ESRCH; | 383 | error = -ESRCH; |
| 384 | } | 384 | } |
| 385 | } | 385 | } |
| @@ -403,6 +403,14 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, | |||
| 403 | * to current session. */ | 403 | * to current session. */ |
| 404 | xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); | 404 | xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); |
| 405 | 405 | ||
| 406 | error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); | ||
| 407 | if (error) { | ||
| 408 | x->km.state = XFRM_STATE_DEAD; | ||
| 409 | xfrm_state_put(x); | ||
| 410 | x = NULL; | ||
| 411 | goto out; | ||
| 412 | } | ||
| 413 | |||
| 406 | if (km_query(x, tmpl, pol) == 0) { | 414 | if (km_query(x, tmpl, pol) == 0) { |
| 407 | x->km.state = XFRM_STATE_ACQ; | 415 | x->km.state = XFRM_STATE_ACQ; |
| 408 | list_add_tail(&x->bydst, xfrm_state_bydst+h); | 416 | list_add_tail(&x->bydst, xfrm_state_bydst+h); |