Commit 5f8ac64b15172c7ced7d7990eb28342092bc751b
Committed by
David S. Miller
1 parent
69549ddd2f
[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 4 changed files with 4 additions and 11 deletions Side-by-side Diff
net/xfrm/xfrm_user.c
security/selinux/include/av_perm_to_string.h
... | ... | @@ -238,6 +238,5 @@ |
238 | 238 | S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") |
239 | 239 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") |
240 | 240 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") |
241 | - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom") | |
242 | - S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto") | |
241 | + S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") |
security/selinux/include/av_permissions.h
... | ... | @@ -908,8 +908,7 @@ |
908 | 908 | |
909 | 909 | #define ASSOCIATION__SENDTO 0x00000001UL |
910 | 910 | #define ASSOCIATION__RECVFROM 0x00000002UL |
911 | -#define ASSOCIATION__RELABELFROM 0x00000004UL | |
912 | -#define ASSOCIATION__RELABELTO 0x00000008UL | |
911 | +#define ASSOCIATION__SETCONTEXT 0x00000004UL | |
913 | 912 | |
914 | 913 | #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL |
915 | 914 | #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL |
security/selinux/xfrm.c
... | ... | @@ -137,15 +137,9 @@ |
137 | 137 | * Must be permitted to relabel from default socket type (process type) |
138 | 138 | * to specified context |
139 | 139 | */ |
140 | - rc = avc_has_perm(tsec->sid, tsec->sid, | |
141 | - SECCLASS_ASSOCIATION, | |
142 | - ASSOCIATION__RELABELFROM, NULL); | |
143 | - if (rc) | |
144 | - goto out; | |
145 | - | |
146 | 140 | rc = avc_has_perm(tsec->sid, ctx->ctx_sid, |
147 | 141 | SECCLASS_ASSOCIATION, |
148 | - ASSOCIATION__RELABELTO, NULL); | |
142 | + ASSOCIATION__SETCONTEXT, NULL); | |
149 | 143 | if (rc) |
150 | 144 | goto out; |
151 | 145 |