diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:32:20 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:28 -0400 |
commit | cb969f072b6d67770b559617f14e767f47e77ece (patch) | |
tree | 4112eb0182e8b3e28b42aebaa40ca25454fc6b76 /net | |
parent | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (diff) |
[MLSXFRM]: Default labeling of socket specific IPSec policies
This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/key/af_key.c | 15 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 2 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 13 |
3 files changed, 23 insertions, 7 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index a065e1a67773..797c744a8438 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -2843,14 +2843,14 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct | |||
2843 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); | 2843 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); |
2844 | } | 2844 | } |
2845 | 2845 | ||
2846 | static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | 2846 | static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, |
2847 | u8 *data, int len, int *dir) | 2847 | u8 *data, int len, int *dir) |
2848 | { | 2848 | { |
2849 | struct xfrm_policy *xp; | 2849 | struct xfrm_policy *xp; |
2850 | struct sadb_x_policy *pol = (struct sadb_x_policy*)data; | 2850 | struct sadb_x_policy *pol = (struct sadb_x_policy*)data; |
2851 | struct sadb_x_sec_ctx *sec_ctx; | 2851 | struct sadb_x_sec_ctx *sec_ctx; |
2852 | 2852 | ||
2853 | switch (family) { | 2853 | switch (sk->sk_family) { |
2854 | case AF_INET: | 2854 | case AF_INET: |
2855 | if (opt != IP_IPSEC_POLICY) { | 2855 | if (opt != IP_IPSEC_POLICY) { |
2856 | *dir = -EOPNOTSUPP; | 2856 | *dir = -EOPNOTSUPP; |
@@ -2891,7 +2891,7 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
2891 | xp->lft.hard_byte_limit = XFRM_INF; | 2891 | xp->lft.hard_byte_limit = XFRM_INF; |
2892 | xp->lft.soft_packet_limit = XFRM_INF; | 2892 | xp->lft.soft_packet_limit = XFRM_INF; |
2893 | xp->lft.hard_packet_limit = XFRM_INF; | 2893 | xp->lft.hard_packet_limit = XFRM_INF; |
2894 | xp->family = family; | 2894 | xp->family = sk->sk_family; |
2895 | 2895 | ||
2896 | xp->xfrm_nr = 0; | 2896 | xp->xfrm_nr = 0; |
2897 | if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC && | 2897 | if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC && |
@@ -2907,8 +2907,10 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
2907 | p += pol->sadb_x_policy_len*8; | 2907 | p += pol->sadb_x_policy_len*8; |
2908 | sec_ctx = (struct sadb_x_sec_ctx *)p; | 2908 | sec_ctx = (struct sadb_x_sec_ctx *)p; |
2909 | if (len < pol->sadb_x_policy_len*8 + | 2909 | if (len < pol->sadb_x_policy_len*8 + |
2910 | sec_ctx->sadb_x_sec_len) | 2910 | sec_ctx->sadb_x_sec_len) { |
2911 | *dir = -EINVAL; | ||
2911 | goto out; | 2912 | goto out; |
2913 | } | ||
2912 | if ((*dir = verify_sec_ctx_len(p))) | 2914 | if ((*dir = verify_sec_ctx_len(p))) |
2913 | goto out; | 2915 | goto out; |
2914 | uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx); | 2916 | uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx); |
@@ -2918,6 +2920,11 @@ static struct xfrm_policy *pfkey_compile_policy(u16 family, int opt, | |||
2918 | if (*dir) | 2920 | if (*dir) |
2919 | goto out; | 2921 | goto out; |
2920 | } | 2922 | } |
2923 | else { | ||
2924 | *dir = security_xfrm_sock_policy_alloc(xp, sk); | ||
2925 | if (*dir) | ||
2926 | goto out; | ||
2927 | } | ||
2921 | 2928 | ||
2922 | *dir = pol->sadb_x_policy_dir-1; | 2929 | *dir = pol->sadb_x_policy_dir-1; |
2923 | return xp; | 2930 | return xp; |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index be02bd981d12..1c796087ee78 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -1026,7 +1026,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen | |||
1026 | err = -EINVAL; | 1026 | err = -EINVAL; |
1027 | read_lock(&xfrm_km_lock); | 1027 | read_lock(&xfrm_km_lock); |
1028 | list_for_each_entry(km, &xfrm_km_list, list) { | 1028 | list_for_each_entry(km, &xfrm_km_list, list) { |
1029 | pol = km->compile_policy(sk->sk_family, optname, data, | 1029 | pol = km->compile_policy(sk, optname, data, |
1030 | optlen, &err); | 1030 | optlen, &err); |
1031 | if (err >= 0) | 1031 | if (err >= 0) |
1032 | break; | 1032 | break; |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index dac8db1088bc..f70e158874d2 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -1757,7 +1757,7 @@ static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, | |||
1757 | /* User gives us xfrm_user_policy_info followed by an array of 0 | 1757 | /* User gives us xfrm_user_policy_info followed by an array of 0 |
1758 | * or more templates. | 1758 | * or more templates. |
1759 | */ | 1759 | */ |
1760 | static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt, | 1760 | static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, |
1761 | u8 *data, int len, int *dir) | 1761 | u8 *data, int len, int *dir) |
1762 | { | 1762 | { |
1763 | struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; | 1763 | struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; |
@@ -1765,7 +1765,7 @@ static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt, | |||
1765 | struct xfrm_policy *xp; | 1765 | struct xfrm_policy *xp; |
1766 | int nr; | 1766 | int nr; |
1767 | 1767 | ||
1768 | switch (family) { | 1768 | switch (sk->sk_family) { |
1769 | case AF_INET: | 1769 | case AF_INET: |
1770 | if (opt != IP_XFRM_POLICY) { | 1770 | if (opt != IP_XFRM_POLICY) { |
1771 | *dir = -EOPNOTSUPP; | 1771 | *dir = -EOPNOTSUPP; |
@@ -1807,6 +1807,15 @@ static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt, | |||
1807 | copy_from_user_policy(xp, p); | 1807 | copy_from_user_policy(xp, p); |
1808 | copy_templates(xp, ut, nr); | 1808 | copy_templates(xp, ut, nr); |
1809 | 1809 | ||
1810 | if (!xp->security) { | ||
1811 | int err = security_xfrm_sock_policy_alloc(xp, sk); | ||
1812 | if (err) { | ||
1813 | kfree(xp); | ||
1814 | *dir = err; | ||
1815 | return NULL; | ||
1816 | } | ||
1817 | } | ||
1818 | |||
1810 | *dir = p->dir; | 1819 | *dir = p->dir; |
1811 | 1820 | ||
1812 | return xp; | 1821 | return xp; |