summaryrefslogtreecommitdiffstats
path: root/net/key
diff options
context:
space:
mode:
authorCatherine Zhang <cxzhang@watson.ibm.com>2006-06-08 23:39:49 -0700
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-17 21:29:45 -0700
commitc8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63 (patch)
treeb4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf /net/key
parentcec6f7f39c3db7d9f6091bf2f8fc8d520f372719 (diff)
downloadop-kernel-dev-c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63.zip
op-kernel-dev-c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63.tar.gz
[LSM-IPsec]: SELinux Authorize
This patch contains a fix for the previous patch that adds security contexts to IPsec policies and security associations. In the previous patch, no authorization (besides the check for write permissions to SAD and SPD) is required to delete IPsec policies and security assocations with security contexts. Thus a user authorized to change SAD and SPD can bypass the IPsec policy authorization by simply deleteing policies with security contexts. To fix this security hole, an additional authorization check is added for removing security policies and security associations with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). SELinux changes: The new policy_delete and state_delete functions are added. Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com> Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/key')
-rw-r--r--net/key/af_key.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 8595822..d5e2121 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1454,21 +1454,23 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
if (x == NULL)
return -ESRCH;
+ if ((err = security_xfrm_state_delete(x)))
+ goto out;
+
if (xfrm_state_kern(x)) {
- xfrm_state_put(x);
- return -EPERM;
+ err = -EPERM;
+ goto out;
}
err = xfrm_state_delete(x);
- if (err < 0) {
- xfrm_state_put(x);
- return err;
- }
+ if (err < 0)
+ goto out;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELSA;
km_state_notify(x, &c);
+out:
xfrm_state_put(x);
return err;
@@ -2274,11 +2276,14 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
err = 0;
+ if ((err = security_xfrm_policy_delete(xp)))
+ goto out;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELPOLICY;
km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
+out:
xfrm_pol_put(xp);
return err;
}
OpenPOWER on IntegriCloud