diff options
author | Venkat Yekkirala <vyekkirala@trustedcs.com> | 2006-11-08 17:04:26 -0600 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-02 21:21:34 -0800 |
commit | 67f83cbf081a70426ff667e8d14f94e13ed3bdca (patch) | |
tree | 776a40733eacb9071478f865e6791daa3f6fd602 /net/xfrm | |
parent | 6b877699c6f1efede4545bcecc367786a472eedb (diff) | |
download | kernel_samsung_smdk4412-67f83cbf081a70426ff667e8d14f94e13ed3bdca.tar.gz kernel_samsung_smdk4412-67f83cbf081a70426ff667e8d14f94e13ed3bdca.tar.bz2 kernel_samsung_smdk4412-67f83cbf081a70426ff667e8d14f94e13ed3bdca.zip |
SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_policy.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 7736b23c3f0..b88b038530c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1894,7 +1894,8 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family)) return 0; - if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol)) + if (fl && pol && + !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl)) return 0; if (dst->xfrm->km.state != XFRM_STATE_VALID) return 0; |