aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-07-25 02:32:20 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:28 -0400
commitcb969f072b6d67770b559617f14e767f47e77ece (patch)
tree4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /net
parentbeb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff)
[MLSXFRM]: Default labeling of socket specific IPSec policies
This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/key/af_key.c15
-rw-r--r--net/xfrm/xfrm_state.c2
-rw-r--r--net/xfrm/xfrm_user.c13
3 files changed, 23 insertions, 7 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index a065e1a67773..797c744a8438 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2843,14 +2843,14 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
2843 return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); 2843 return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL);
2844} 2844}
2845 2845
2846static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, 2846static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
2847 u8 *data, int len, int *dir) 2847 u8 *data, int len, int *dir)
2848{ 2848{
2849 struct xfrm_policy *xp; 2849 struct xfrm_policy *xp;
2850 struct sadb_x_policy *pol = (struct sadb_x_policy*)data; 2850 struct sadb_x_policy *pol = (struct sadb_x_policy*)data;
2851 struct sadb_x_sec_ctx *sec_ctx; 2851 struct sadb_x_sec_ctx *sec_ctx;
2852 2852
2853 switch (family) { 2853 switch (sk->sk_family) {
2854 case AF_INET: 2854 case AF_INET:
2855 if (opt != IP_IPSEC_POLICY) { 2855 if (opt != IP_IPSEC_POLICY) {
2856 *dir = -EOPNOTSUPP; 2856 *dir = -EOPNOTSUPP;
@@ -2891,7 +2891,7 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt,
2891 xp->lft.hard_byte_limit = XFRM_INF; 2891 xp->lft.hard_byte_limit = XFRM_INF;
2892 xp->lft.soft_packet_limit = XFRM_INF; 2892 xp->lft.soft_packet_limit = XFRM_INF;
2893 xp->lft.hard_packet_limit = XFRM_INF; 2893 xp->lft.hard_packet_limit = XFRM_INF;
2894 xp->family = family; 2894 xp->family = sk->sk_family;
2895 2895
2896 xp->xfrm_nr = 0; 2896 xp->xfrm_nr = 0;
2897 if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC && 2897 if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
@@ -2907,8 +2907,10 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt,
2907 p += pol->sadb_x_policy_len*8; 2907 p += pol->sadb_x_policy_len*8;
2908 sec_ctx = (struct sadb_x_sec_ctx *)p; 2908 sec_ctx = (struct sadb_x_sec_ctx *)p;
2909 if (len < pol->sadb_x_policy_len*8 + 2909 if (len < pol->sadb_x_policy_len*8 +
2910 sec_ctx->sadb_x_sec_len) 2910 sec_ctx->sadb_x_sec_len) {
2911 *dir = -EINVAL;
2911 goto out; 2912 goto out;
2913 }
2912 if ((*dir = verify_sec_ctx_len(p))) 2914 if ((*dir = verify_sec_ctx_len(p)))
2913 goto out; 2915 goto out;
2914 uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx); 2916 uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx);
@@ -2918,6 +2920,11 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt,
2918 if (*dir) 2920 if (*dir)
2919 goto out; 2921 goto out;
2920 } 2922 }
2923 else {
2924 *dir = security_xfrm_sock_policy_alloc(xp, sk);
2925 if (*dir)
2926 goto out;
2927 }
2921 2928
2922 *dir = pol->sadb_x_policy_dir-1; 2929 *dir = pol->sadb_x_policy_dir-1;
2923 return xp; 2930 return xp;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index be02bd981d12..1c796087ee78 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1026,7 +1026,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
1026 err = -EINVAL; 1026 err = -EINVAL;
1027 read_lock(&xfrm_km_lock); 1027 read_lock(&xfrm_km_lock);
1028 list_for_each_entry(km, &xfrm_km_list, list) { 1028 list_for_each_entry(km, &xfrm_km_list, list) {
1029 pol = km->compile_policy(sk->sk_family, optname, data, 1029 pol = km->compile_policy(sk, optname, data,
1030 optlen, &err); 1030 optlen, &err);
1031 if (err >= 0) 1031 if (err >= 0)
1032 break; 1032 break;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index dac8db1088bc..f70e158874d2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1757,7 +1757,7 @@ static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt,
1757/* User gives us xfrm_user_policy_info followed by an array of 0 1757/* User gives us xfrm_user_policy_info followed by an array of 0
1758 * or more templates. 1758 * or more templates.
1759 */ 1759 */
1760static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt, 1760static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
1761 u8 *data, int len, int *dir) 1761 u8 *data, int len, int *dir)
1762{ 1762{
1763 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 1763 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data;
@@ -1765,7 +1765,7 @@ static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt,
1765 struct xfrm_policy *xp; 1765 struct xfrm_policy *xp;
1766 int nr; 1766 int nr;
1767 1767
1768 switch (family) { 1768 switch (sk->sk_family) {
1769 case AF_INET: 1769 case AF_INET:
1770 if (opt != IP_XFRM_POLICY) { 1770 if (opt != IP_XFRM_POLICY) {
1771 *dir = -EOPNOTSUPP; 1771 *dir = -EOPNOTSUPP;
@@ -1807,6 +1807,15 @@ static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt,
1807 copy_from_user_policy(xp, p); 1807 copy_from_user_policy(xp, p);
1808 copy_templates(xp, ut, nr); 1808 copy_templates(xp, ut, nr);
1809 1809
1810 if (!xp->security) {
1811 int err = security_xfrm_sock_policy_alloc(xp, sk);
1812 if (err) {
1813 kfree(xp);
1814 *dir = err;
1815 return NULL;
1816 }
1817 }
1818
1810 *dir = p->dir; 1819 *dir = p->dir;
1811 1820
1812 return xp; 1821 return xp;