Re: [PATCH 1/1] Corrections to LSM-IPSec Nethooks

Trent Jaeger Fri, 06 Jan 2006 08:06:28 -0800

Forgot signoff -- see below.

On Jan 6, 2006, at 10:48 AM, Trent Jaeger wrote:

Hi,

This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.

(1) free a security context on a failed insert via xfrm_user
interface in xfrm_add_policy.  Memory leak.

(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto
to setcontext.

This is intended to be a correction to the 2.6.16 tree.


Signed-off-by: Trent Jaeger <[EMAIL PROTECTED]>

Regards,
Trent.
---------------------------------
---

 net/xfrm/xfrm_user.c                         |    1 +
 security/selinux/include/av_perm_to_string.h |    3 +--
 security/selinux/include/av_permissions.h    |    3 +--
 security/selinux/xfrm.c                      |    8 +-------
 4 files changed, 4 insertions(+), 11 deletions(-)
diff -puN include/linux/security.h~lsm-relabel-nethooks include/linux/security.h
diff -puN net/key/af_key.c~lsm-relabel-nethooks net/key/af_key.c
diff -puN net/xfrm/xfrm_user.c~lsm-relabel-nethooks net/xfrm/xfrm_user.c--- linux-2.6.15-rc5/net/xfrm/xfrm_user.c~lsm-relabel-nethooks2006-01-04 22:35:41.000000000 -0500+++ linux-2.6.15-rc5-root/net/xfrm/xfrm_user.c 2006-01-0510:36:04.000000000 -0500
@@ -802,6 +802,7 @@ static int xfrm_add_policy(struct sk_buf
        excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
        err = xfrm_policy_insert(p->dir, xp, excl);
        if (err) {
+               security_xfrm_policy_free(xp);
                kfree(xp);
                return err;
        }
diff -puN security/dummy.c~lsm-relabel-nethooks security/dummy.c
diff -puN security/selinux/hooks.c~lsm-relabel-nethooks security/selinux/hooks.cdiff -puN security/selinux/include/av_perm_to_string.h~lsm-relabel-nethooks security/selinux/include/av_perm_to_string.h--- linux-2.6.15-rc5/security/selinux/include/av_perm_to_string.h~lsm-relabel-nethooks 2006-01-0422:35:41.000000000 -0500+++ linux-2.6.15-rc5-root/security/selinux/include/av_perm_to_string.h 2006-01-04 22:38:14.000000000 -0500
@@ -238,5 +238,4 @@
    S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RELABELTO, "relabelto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
diff -puN security/selinux/include/av_permissions.h~lsm-relabel-nethooks security/selinux/include/av_permissions.h--- linux-2.6.15-rc5/security/selinux/include/av_permissions.h~lsm-relabel-nethooks 2006-01-04 22:35:41.000000000 -0500+++ linux-2.6.15-rc5-root/security/selinux/include/av_permissions.h2006-01-04 22:38:13.000000000 -0500
@@ -908,8 +908,7 @@

 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
-#define ASSOCIATION__RELABELFROM                  0x00000004UL
-#define ASSOCIATION__RELABELTO                    0x00000008UL
+#define ASSOCIATION__SETCONTEXT                   0x00000004UL

 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
diff -puN security/selinux/include/av_inherit.h~lsm-relabel-nethooks security/selinux/include/av_inherit.hdiff -puN security/selinux/include/class_to_string.h~lsm-relabel-nethooks security/selinux/include/class_to_string.hdiff -puN security/selinux/include/common_perm_to_string.h~lsm-relabel-nethooks security/selinux/include/common_perm_to_string.hdiff -puN security/selinux/include/flask.h~lsm-relabel-nethookssecurity/selinux/include/flask.hdiff -puN security/selinux/include/initial_sid_to_string.h~lsm-relabel-nethooks security/selinux/include/initial_sid_to_string.hdiff -puN security/selinux/include/xfrm.h~lsm-relabel-nethookssecurity/selinux/include/xfrm.hdiff -puN security/selinux/xfrm.c~lsm-relabel-nethooks security/selinux/xfrm.c--- linux-2.6.15-rc5/security/selinux/xfrm.c~lsm-relabel-nethooks2006-01-04 22:35:41.000000000 -0500+++ linux-2.6.15-rc5-root/security/selinux/xfrm.c 2006-01-0422:35:41.000000000 -0500
@@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(st
* Must be permitted to relabel from default socket type (processtype)
         * to specified context
         */
-       rc = avc_has_perm(tsec->sid, tsec->sid,
-                         SECCLASS_ASSOCIATION,
-                         ASSOCIATION__RELABELFROM, NULL);
-       if (rc)
-               goto out;
-
        rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                          SECCLASS_ASSOCIATION,
-                         ASSOCIATION__RELABELTO, NULL);
+                         ASSOCIATION__SETCONTEXT, NULL);
        if (rc)
                goto out;

_


Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: [EMAIL PROTECTED]
Ph: (814) 865-1042, Fax: (814) 865-3176



-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] Corrections to LSM-IPSec Nethooks

Reply via email to