diff options
Diffstat (limited to 'security/selinux/xfrm.c')
| -rw-r--r-- | security/selinux/xfrm.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index e07603969033..7e158205d081 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -46,11 +46,14 @@ | |||
| 46 | #include <net/checksum.h> | 46 | #include <net/checksum.h> |
| 47 | #include <net/udp.h> | 47 | #include <net/udp.h> |
| 48 | #include <asm/semaphore.h> | 48 | #include <asm/semaphore.h> |
| 49 | #include <asm/atomic.h> | ||
| 49 | 50 | ||
| 50 | #include "avc.h" | 51 | #include "avc.h" |
| 51 | #include "objsec.h" | 52 | #include "objsec.h" |
| 52 | #include "xfrm.h" | 53 | #include "xfrm.h" |
| 53 | 54 | ||
| 55 | /* Labeled XFRM instance counter */ | ||
| 56 | atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); | ||
| 54 | 57 | ||
| 55 | /* | 58 | /* |
| 56 | * Returns true if an LSM/SELinux context | 59 | * Returns true if an LSM/SELinux context |
| @@ -293,6 +296,9 @@ int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, | |||
| 293 | BUG_ON(!uctx); | 296 | BUG_ON(!uctx); |
| 294 | 297 | ||
| 295 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); | 298 | err = selinux_xfrm_sec_ctx_alloc(&xp->security, uctx, 0); |
| 299 | if (err == 0) | ||
| 300 | atomic_inc(&selinux_xfrm_refcount); | ||
| 301 | |||
| 296 | return err; | 302 | return err; |
| 297 | } | 303 | } |
| 298 | 304 | ||
| @@ -340,10 +346,13 @@ int selinux_xfrm_policy_delete(struct xfrm_policy *xp) | |||
| 340 | struct xfrm_sec_ctx *ctx = xp->security; | 346 | struct xfrm_sec_ctx *ctx = xp->security; |
| 341 | int rc = 0; | 347 | int rc = 0; |
| 342 | 348 | ||
| 343 | if (ctx) | 349 | if (ctx) { |
| 344 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 350 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 345 | SECCLASS_ASSOCIATION, | 351 | SECCLASS_ASSOCIATION, |
| 346 | ASSOCIATION__SETCONTEXT, NULL); | 352 | ASSOCIATION__SETCONTEXT, NULL); |
| 353 | if (rc == 0) | ||
| 354 | atomic_dec(&selinux_xfrm_refcount); | ||
| 355 | } | ||
| 347 | 356 | ||
| 348 | return rc; | 357 | return rc; |
| 349 | } | 358 | } |
| @@ -360,6 +369,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uct | |||
| 360 | BUG_ON(!x); | 369 | BUG_ON(!x); |
| 361 | 370 | ||
| 362 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); | 371 | err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); |
| 372 | if (err == 0) | ||
| 373 | atomic_inc(&selinux_xfrm_refcount); | ||
| 363 | return err; | 374 | return err; |
| 364 | } | 375 | } |
| 365 | 376 | ||
| @@ -382,10 +393,13 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) | |||
| 382 | struct xfrm_sec_ctx *ctx = x->security; | 393 | struct xfrm_sec_ctx *ctx = x->security; |
| 383 | int rc = 0; | 394 | int rc = 0; |
| 384 | 395 | ||
| 385 | if (ctx) | 396 | if (ctx) { |
| 386 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, | 397 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
| 387 | SECCLASS_ASSOCIATION, | 398 | SECCLASS_ASSOCIATION, |
| 388 | ASSOCIATION__SETCONTEXT, NULL); | 399 | ASSOCIATION__SETCONTEXT, NULL); |
| 400 | if (rc == 0) | ||
| 401 | atomic_dec(&selinux_xfrm_refcount); | ||
| 402 | } | ||
| 389 | 403 | ||
| 390 | return rc; | 404 | return rc; |
| 391 | } | 405 | } |