[LSM-IPSec]: Corrections to LSM-IPSec Nethooks

This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>

[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
Trent Jaeger · David S. Miller
1 parent 69549ddd2f
Showing 4 changed files with 4 additions and 11 deletions Side-by-side Diff
net/xfrm/xfrm_user.c
security/selinux/include/av_perm_to_string.h
security/selinux/include/av_permissions.h
security/selinux/xfrm.c
@@ -802,6 +802,7 @@
 	excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
 	err = xfrm_policy_insert(p->dir, xp, excl);
 	if (err) {
+		security_xfrm_policy_free(xp);
 		kfree(xp);
 		return err;
 	}
@@ -238,6 +238,5 @@
    S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
@@ -908,8 +908,7 @@
  
 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
-#define ASSOCIATION__RELABELFROM                  0x00000004UL
-#define ASSOCIATION__RELABELTO                    0x00000008UL
+#define ASSOCIATION__SETCONTEXT                   0x00000004UL
  
 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
@@ -137,15 +137,9 @@
 	 * Must be permitted to relabel from default socket type (process type)
 	 * to specified context
 	 */
-	rc = avc_has_perm(tsec->sid, tsec->sid,
-			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELFROM, NULL);
-	if (rc)
-		goto out;
-
 	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
 			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELTO, NULL);
+			  ASSOCIATION__SETCONTEXT, NULL);
 	if (rc)
 		goto out;
...	...	@@ -802,6 +802,7 @@
802	802	excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
803	803	err = xfrm_policy_insert(p->dir, xp, excl);
804	804	if (err) {
	805	+ security_xfrm_policy_free(xp);
805	806	kfree(xp);
806	807	return err;
807	808	}
...	...	@@ -238,6 +238,5 @@
238	238	S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
239	239	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
240	240	S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
241		- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
242		- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
	241	+ S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
...	...	@@ -908,8 +908,7 @@
908	908
909	909	#define ASSOCIATION__SENDTO 0x00000001UL
910	910	#define ASSOCIATION__RECVFROM 0x00000002UL
911		-#define ASSOCIATION__RELABELFROM 0x00000004UL
912		-#define ASSOCIATION__RELABELTO 0x00000008UL
	911	+#define ASSOCIATION__SETCONTEXT 0x00000004UL
913	912
914	913	#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
915	914	#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
...	...	@@ -137,15 +137,9 @@
137	137	* Must be permitted to relabel from default socket type (process type)
138	138	* to specified context
139	139	*/
140		- rc = avc_has_perm(tsec->sid, tsec->sid,
141		- SECCLASS_ASSOCIATION,
142		- ASSOCIATION__RELABELFROM, NULL);
143		- if (rc)
144		- goto out;
145		-
146	140	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
147	141	SECCLASS_ASSOCIATION,
148		- ASSOCIATION__RELABELTO, NULL);
	142	+ ASSOCIATION__SETCONTEXT, NULL);
149	143	if (rc)
150	144	goto out;
151	145