Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5f8ac64b authored by Trent Jaeger's avatar Trent Jaeger Committed by David S. Miller
Browse files

[LSM-IPSec]: Corrections to LSM-IPSec Nethooks 



This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.  

(1) free a security context on a failed insert via xfrm_user 
interface in xfrm_add_policy.  Memory leak.

(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto 
to setcontext.

Signed-off-by: default avatarTrent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 69549ddd

net/xfrm/xfrm_user.c

+1 −0
Original line number Diff line number Diff line
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr 
	excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;

	err = xfrm_policy_insert(p->dir, xp, excl);

	if (err) {

		security_xfrm_policy_free(xp);

		kfree(xp);

		return err;

	}

security/selinux/include/av_perm_to_string.h

+1 −2
Original line number Diff line number Diff line
@@ -238,5 +238,4 @@ 
   S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")

   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")

   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")

   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")

   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
 
   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")

security/selinux/include/av_permissions.h

+1 −2
Original line number Diff line number Diff line
@@ -908,8 +908,7 @@ 


#define ASSOCIATION__SENDTO                       0x00000001UL

#define ASSOCIATION__RECVFROM                     0x00000002UL

#define ASSOCIATION__RELABELFROM                  0x00000004UL

#define ASSOCIATION__RELABELTO                    0x00000008UL

#define ASSOCIATION__SETCONTEXT                   0x00000004UL



#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL

#define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL

security/selinux/xfrm.c

+1 −7
Original line number Diff line number Diff line
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us 
	 * Must be permitted to relabel from default socket type (process type)

	 * to specified context

	 */

	rc = avc_has_perm(tsec->sid, tsec->sid,

			  SECCLASS_ASSOCIATION,

			  ASSOCIATION__RELABELFROM, NULL);

	if (rc)

		goto out;



	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,

			  SECCLASS_ASSOCIATION,

			  ASSOCIATION__RELABELTO, NULL);

			  ASSOCIATION__SETCONTEXT, NULL);

	if (rc)

		goto out;