ED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PATCH 1/2] LSM-IPSec Networking Hooks -- mods
based on Herbert's comments
Hi Trent:
Thanks for your good work. Here are the comments for your first patch.
I won't comment on the second patch since others have already lo
Hi Trent:
Thanks for your good work. Here are the comments for your first patch.
I won't comment on the second patch since others have already looked
through it and I don't know enough about SELINUX to be of much help.
On Thu, Aug 11, 2005 at 02:21:15PM -0400, jaegert wrote:
>
> +static inline
This patch has been modified based on Herbert's comments. I also
added explicit length checking code to xfrm_user.c based on Herbert's
comments in the rest of the code.
Most of the other modifications are deletions of unnecessary checks
per Herbert's identification.
Regards,
Trent.
==
Re: [PATCH 1/2] LSM-IPSec Networking Hooks --
revised flow cache [resend]
On Tue, Aug 09, 2005 at 02:20:45PM -0400, Trent Jaeger wrote:
>
> > What makes spddelete different from spdadd?
>
> spddelete takes a context string as input and we need to retrieve the
> policy t
On Tue, Aug 09, 2005 at 02:20:45PM -0400, Trent Jaeger wrote:
>
> > What makes spddelete different from spdadd?
>
> spddelete takes a context string as input and we need to retrieve the
> policy that matches the selector (xfrm_policy_bysel) and the security
> context. The additional code checks
Trent Jaeger <[EMAIL PROTECTED]> wrote:
>
> This is specific to CONFIG_SECURITY_NETWORK_XFRM as contexts will only be
> used in that case. I will make it conditional on that instead, if that's
> OK.
That sounds good.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{Pm
> > @@ -2108,7 +2230,18 @@ static int pfkey_spddelete(struct sock *
> > if (sel.dport)
> > sel.dport_mask = ~0;
> >
> > -xp = xfrm_policy_bysel(pol->sadb_x_policy_dir-1, &sel,
1);
> > +sec_ctx = (struct sadb_x_sec_ctx *)
ext_hdrs[
> > @@ -2703,10 +2837,22 @@ static struct xfrm_policy *pfkey_compile
> > (*dir = parse_ipsecrequests(xp, pol)) < 0)
> > goto out;
> >
> > +/* security context too */
> > +if (len >= (pol->sadb_x_policy_len*8 +
> > +
I have a few questions on your comments. The ones for which I do not have
questions, I will modify as suggested.
> > diff -puN include/net/xfrm.h~lsm-xfrm-nethooks include/net/xfrm.h
>> --- linux-2.6.13-rc4-xfrm/include/net/xfrm.h~lsm-xfrm-nethooks
2005-08-01 16:11:22.0 -0400
>> +++ li
/2005 03:45 AM
To: Trent Jaeger/Watson/[EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
netdev@vger.kernel.org, [EMAIL PROTECTED], Serge E
Hallyn/Austin/[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PAT
On Tue, Aug 02, 2005 at 02:04:41PM -0400, jaegert wrote:
> Resend of 20 July patch that repaired the flow_cache_lookup
> authorization (now for 2.6.13-rc4-git4).
Thanks Trent. I'm happy with the flow cache stuff now.
However, there are still some technical details to take
care of.
> diff -puN i
On Tue, Aug 02, 2005 at 02:04:41PM -0400, jaegert wrote:
> Resend of 20 July patch that repaired the flow_cache_lookup
> authorization (now for 2.6.13-rc4-git4).
Thanks for the resend. I'll try to get back to you soon.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <
Resend of 20 July patch that repaired the flow_cache_lookup
authorization (now for 2.6.13-rc4-git4).
Verified that failed authorization results in a new resolution.
Note that the prior [PATCH 2/2] of 18 July works with this patch, so
there will be no resend of it. Please let me know if a resend
Fixed and tested flow_cache_lookup per previous comments.
Verified that failed authorization results in new resolution
correctly.
Note that the previous [PATCH 2/2] applies (only resending one
patch now). The SELinux LSM handles the case when the context
is null.
Regards,
Trent.
=
Herbert Xu <[EMAIL PROTECTED]>
07/18/2005 06:07 PM
To: Trent Jaeger/Watson/[EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
netdev@vger.kernel.org, Serge E Hallyn/Austin/[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subje
On Mon, Jul 18, 2005 at 01:50:33PM -0400, jaegert wrote:
>
> @@ -190,8 +191,9 @@ void *flow_cache_lookup(struct flowi *ke
> if (fle->genid == atomic_read(&flow_cache_genid)) {
> void *ret = fle->object;
>
> - if (ret)
This patch adds LSM hooks to the XFRM subsystem code. This patch
differs from previous ones in that an authorizer function pointer
is passed to flow_cache_lookup in order to use LSM to authorize
previously cached entries -- as suggested in my reply to Herbert.
This approach is consistent with how
PROTECTED]
Subject: Re: [PATCH 1/2] LSM-IPSec Networking Hooks
On Mon, Jul 11, 2005 at 11:35:13AM -0400, Trent Jaeger wrote:
>
> Shall I submit the patch with the authorization?
Let me think about this for a while.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Emai
On Mon, Jul 11, 2005 at 11:35:13AM -0400, Trent Jaeger wrote:
>
> Shall I submit the patch with the authorization?
Let me think about this for a while.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~h
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
netdev@vger.kernel.org, Serge E Hallyn/Austin/[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PATCH 1/2] LSM-IPSec Networking Hooks
On Wed, Jul 06, 2005 at 04:24:53PM -0400, jaegert wrote:
>
> d
[EMAIL PROTECTED],
netdev@vger.kernel.org, Serge E Hallyn/Austin/[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PATCH 1/2] LSM-IPSec Networking Hooks
On Wed, Jul 06, 2005 at 04:24:53PM -0400, jaegert wrote:
>
> diff -puN net/core/flow.c~lsm-xfrm-nethooks net/core/flo
On Wed, Jul 06, 2005 at 04:24:53PM -0400, jaegert wrote:
>
> diff -puN net/core/flow.c~lsm-xfrm-nethooks net/core/flow.c
> --- linux-2.6.12-git3-xfrm/net/core/flow.c~lsm-xfrm-nethooks 2005-06-21
> 15:56:40.0 -0400
> +++ linux-2.6.12-git3-xfrm-root/net/core/flow.c 2005-06-21
> 15:56
On Thu, Jul 07, 2005 at 09:30:12AM +1000, herbert wrote:
>
> This might be a silly question as I probably don't understand this
> fully. There seems to be an apparent asymmetry in the implementation.
> The outbound packets are looked up with their originating socket, i.e.,
> for TCP packets it's
On Wed, Jul 06, 2005 at 04:24:53PM -0400, jaegert wrote:
> The patch has been revised to attach the security context
> to the xfrm_state and xfrm_policy rather than the selector.
Thanks a lot for making the change Trent.
> On input, the policy retrieved must also be authorized for the socket
>
The patch has been revised to attach the security context
to the xfrm_state and xfrm_policy rather than the selector.
The function xfrm_policy_bysel was only used to match policies
for addition/removal from SPD which now requires matching security
context as well. The function has been changed t
25 matches
Mail list logo
