aboutsummaryrefslogtreecommitdiffstats
path: root/security/dummy.c
diff options
context:
space:
mode:
authorCatherine Zhang <cxzhang@watson.ibm.com>2006-08-02 17:12:06 -0400
committerDavid S. Miller <davem@davemloft.net>2006-08-02 17:12:06 -0400
commitdc49c1f94e3469d94b952e8f5160dd4ccd791d79 (patch)
treee47b1974c262a03dbabf0a148325d9089817e78e /security/dummy.c
parent2b7e24b66d31d677d76b49918e711eb360c978b6 (diff)
[AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch
From: Catherine Zhang <cxzhang@watson.ibm.com> This patch implements a cleaner fix for the memory leak problem of the original unix datagram getpeersec patch. Instead of creating a security context each time a unix datagram is sent, we only create the security context when the receiver requests it. This new design requires modification of the current unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely, secid_to_secctx and release_secctx. The former retrieves the security context and the latter releases it. A hook is required for releasing the security context because it is up to the security module to decide how that's done. In the case of Selinux, it's a simple kfree operation. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/dummy.c')
-rw-r--r--security/dummy.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/security/dummy.c b/security/dummy.c
index bbbfda70e131..58c6d399c844 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -791,8 +791,7 @@ static int dummy_socket_getpeersec_stream(struct socket *sock, char __user *optv
791 return -ENOPROTOOPT; 791 return -ENOPROTOOPT;
792} 792}
793 793
794static int dummy_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, 794static int dummy_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
795 u32 *seclen)
796{ 795{
797 return -ENOPROTOOPT; 796 return -ENOPROTOOPT;
798} 797}
@@ -876,6 +875,15 @@ static int dummy_setprocattr(struct task_struct *p, char *name, void *value, siz
876 return -EINVAL; 875 return -EINVAL;
877} 876}
878 877
878static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
879{
880 return -EOPNOTSUPP;
881}
882
883static void dummy_release_secctx(char *secdata, u32 seclen)
884{
885}
886
879#ifdef CONFIG_KEYS 887#ifdef CONFIG_KEYS
880static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx, 888static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
881 unsigned long flags) 889 unsigned long flags)
@@ -1028,6 +1036,8 @@ void security_fixup_ops (struct security_operations *ops)
1028 set_to_dummy_if_null(ops, d_instantiate); 1036 set_to_dummy_if_null(ops, d_instantiate);
1029 set_to_dummy_if_null(ops, getprocattr); 1037 set_to_dummy_if_null(ops, getprocattr);
1030 set_to_dummy_if_null(ops, setprocattr); 1038 set_to_dummy_if_null(ops, setprocattr);
1039 set_to_dummy_if_null(ops, secid_to_secctx);
1040 set_to_dummy_if_null(ops, release_secctx);
1031#ifdef CONFIG_SECURITY_NETWORK 1041#ifdef CONFIG_SECURITY_NETWORK
1032 set_to_dummy_if_null(ops, unix_stream_connect); 1042 set_to_dummy_if_null(ops, unix_stream_connect);
1033 set_to_dummy_if_null(ops, unix_may_send); 1043 set_to_dummy_if_null(ops, unix_may_send);