xfrm: Add security check before flushing SAD/SPD

Currently we check for permission before deleting entries from SAD and SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete()) However we are not checking for authorization when flushing the SPD and the SAD completely. It was perhaps missed in the original security hooks patch. This patch adds a security check when flushing entries from the SAD and SPD. It runs the entire database and checks each entry for a denial. If the process attempting the flush is unable to remove all of the entries a denial is logged the the flush function returns an error without removing anything. This is particularly useful when a process may need to create or delete its own xfrm entries used for things like labeled networking but that same process should not be able to delete other entries or flush the entire database. Signed-off-by: Joy Latten<latten@austin.ibm.com> Signed-off-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
author: Joy Latten <latten@austin.ibm.com> 2007-06-04 19:05:57 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2007-06-07 16:42:46 -0400
commit: 4aa2e62c45b5ca08be2d0d3c0744d7585b56e860 (patch)
tree: 16649593d55f3df4dac54227fcda28bb4fb49f17 /net/xfrm/xfrm_state.c
parent: b00b4bf94edb42852d55619af453588b2de2dc5e (diff)
1 files changed, 43 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 372f06eb8bb7..85f3f43a6cca 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -391,12 +391,48 @@ int xfrm_state_delete(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(xfrm_state_delete);
-void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+static inline int
+xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
 {
-        int i;
+        int i, err = 0;
-        int err = 0;
+        for (i = 0; i <= xfrm_state_hmask; i++) {
+                struct hlist_node *entry;
+                struct xfrm_state *x;
+                hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
+                        if (xfrm_id_proto_match(x->id.proto, proto) &&
+                           (err = security_xfrm_state_delete(x)) != 0) {
+                                xfrm_audit_log(audit_info->loginuid,
+                                               audit_info->secid,
+                                               AUDIT_MAC_IPSEC_DELSA,
+                                               0, NULL, x);
+                                return err;
+                        }
+                }
+        }
+        return err;
+}
+#else
+static inline int
+xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
+{
+        return 0;
+}
+#endif
+int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
+{
+        int i, err = 0;
        spin_lock_bh(&xfrm_state_lock);
+        err = xfrm_state_flush_secctx_check(proto, audit_info);
+        if (err)
+                goto out;
        for (i = 0; i <= xfrm_state_hmask; i++) {
                struct hlist_node *entry;
                struct xfrm_state *x;
@@ -419,8 +455,12 @@ restart:
                        }
                }
        }
+        err = 0;
+out:
        spin_unlock_bh(&xfrm_state_lock);
        wake_up(&km_waitq);
+        return err;
 }
 EXPORT_SYMBOL(xfrm_state_flush);
author	Joy Latten <latten@austin.ibm.com>	2007-06-04 19:05:57 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2007-06-07 16:42:46 -0400
commit	4aa2e62c45b5ca08be2d0d3c0744d7585b56e860 (patch)
tree	16649593d55f3df4dac54227fcda28bb4fb49f17 /net/xfrm/xfrm_state.c
parent	b00b4bf94edb42852d55619af453588b2de2dc5e (diff)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 372f06eb8bb7..85f3f43a6cca 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c
@@ -391,12 +391,48 @@ int xfrm_state_delete(struct xfrm_state *x)
391	}	391	}
392	EXPORT_SYMBOL(xfrm_state_delete);	392	EXPORT_SYMBOL(xfrm_state_delete);
393		393
394	void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)	394	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		395	static inline int
		396	xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
395	{	397	{
396	int i;	398	int i, err = 0;
397	int err = 0;	399
		400	for (i = 0; i <= xfrm_state_hmask; i++) {
		401	struct hlist_node *entry;
		402	struct xfrm_state *x;
		403
		404	hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
		405	if (xfrm_id_proto_match(x->id.proto, proto) &&
		406	(err = security_xfrm_state_delete(x)) != 0) {
		407	xfrm_audit_log(audit_info->loginuid,
		408	audit_info->secid,
		409	AUDIT_MAC_IPSEC_DELSA,
		410	0, NULL, x);
		411
		412	return err;
		413	}
		414	}
		415	}
		416
		417	return err;
		418	}
		419	#else
		420	static inline int
		421	xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
		422	{
		423	return 0;
		424	}
		425	#endif
		426
		427	int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
		428	{
		429	int i, err = 0;
398		430
399	spin_lock_bh(&xfrm_state_lock);	431	spin_lock_bh(&xfrm_state_lock);
		432	err = xfrm_state_flush_secctx_check(proto, audit_info);
		433	if (err)
		434	goto out;
		435
400	for (i = 0; i <= xfrm_state_hmask; i++) {	436	for (i = 0; i <= xfrm_state_hmask; i++) {
401	struct hlist_node *entry;	437	struct hlist_node *entry;
402	struct xfrm_state *x;	438	struct xfrm_state *x;
@@ -419,8 +455,12 @@ restart:
419	}	455	}
420	}	456	}
421	}	457	}
		458	err = 0;
		459
		460	out:
422	spin_unlock_bh(&xfrm_state_lock);	461	spin_unlock_bh(&xfrm_state_lock);
423	wake_up(&km_waitq);	462	wake_up(&km_waitq);
		463	return err;
424	}	464	}
425	EXPORT_SYMBOL(xfrm_state_flush);	465	EXPORT_SYMBOL(xfrm_state_flush);
426		466