iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e08f457c7c
linux/net
History
Joy Latten 4aa2e62c45 xfrm: Add security check before flushing SAD/SPD 
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

Signed-off-by: Joy Latten<latten@austin.ibm.com>
Signed-off-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@namei.org>
2007-06-07 13:42:46 -07:00
..
802 [NET]: cleanup extra semicolons 2007-04-25 22:29:24 -07:00
8021q [NET]: Fix comparisons of unsigned < 0. 2007-06-03 18:08:47 -07:00
appletalk header cleaning: don't include smp_lock.h when not used 2007-05-08 11:15:07 -07:00
atm [NET]: SPIN_LOCK_UNLOCKED cleanup in drivers/atm, net 2007-04-26 01:37:44 -07:00
ax25 [S390] Kconfig: unwanted menus for s390. 2007-05-10 15:46:07 +02:00
bluetooth [Bluetooth] Fix L2CAP configuration parameter handling 2007-05-24 14:27:19 +02:00
bridge [BRIDGE]: Round off STP perodic timers. 2007-05-31 01:23:39 -07:00
core [NET]: Avoid duplicate netlink notification when changing link state 2007-06-07 13:40:56 -07:00
dccp [NET]: Fix comparisons of unsigned < 0. 2007-06-03 18:08:47 -07:00
decnet [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
econet [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
ethernet [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
ieee80211 [PATCH] softmac: alloc_ieee80211() NULL check 2007-05-29 11:16:35 -04:00
ipv4 [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
ipv6 [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
ipx Fix incorrect prototype for ipxrtr_route_packet() 2007-05-17 05:25:49 -07:00
irda [S390] Kconfig: unwanted menus for s390. 2007-05-10 15:46:07 +02:00
iucv Add suspend-related notifications for CPU hotplug 2007-05-09 12:30:56 -07:00
key xfrm: Add security check before flushing SAD/SPD 2007-06-07 13:42:46 -07:00
lapb [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
llc Fix occurrences of "the the " 2007-05-09 08:57:56 +02:00
mac80211 [PATCH] mac80211: avoid null ptr deref in ieee80211_ibss_add_sta 2007-05-29 10:34:05 -04:00
netfilter [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check 2007-06-07 13:40:38 -07:00
netlabel [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
netlink [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
netrom [NET]: Rework dev_base via list_head (v3) 2007-05-03 15:13:45 -07:00
packet [AF_PACKET]: Kill CONFIG_PACKET_SOCKET. 2007-05-31 01:23:32 -07:00
rfkill [RFKILL]: Fix check for correct rfkill allocation 2007-05-19 12:24:39 -07:00
rose [NET]: Rework dev_base via list_head (v3) 2007-05-03 15:13:45 -07:00
rxrpc [AF_RXRPC]: Make call state names available if CONFIG_PROC_FS=n 2007-05-22 16:14:24 -07:00
sched [NET_SCHED]: Fix filter double free 2007-06-07 13:41:05 -07:00
sctp [NET]: Fix comparisons of unsigned < 0. 2007-06-03 18:08:47 -07:00
sunrpc Merge branch 'master' of /home/trondmy/repositories/git/linux-2.6/ 2007-05-17 11:36:59 -04:00
tipc [TIPC]: Fixed erroneous introduction of for_each_netdev 2007-05-24 16:36:54 -07:00
unix [AF_UNIX]: Fix stream recvmsg() race. 2007-06-07 13:40:44 -07:00
wanrouter [NET]: Fix comparisons of unsigned < 0. 2007-06-03 18:08:47 -07:00
wireless [WIRELESS] cfg80211: Clarify locking comment. 2007-04-26 20:51:12 -07:00
x25 header cleaning: don't include smp_lock.h when not used 2007-05-08 11:15:07 -07:00
xfrm xfrm: Add security check before flushing SAD/SPD 2007-06-07 13:42:46 -07:00
compat.c [NET]: Adding SO_TIMESTAMPNS / SCM_TIMESTAMPNS support 2007-04-25 22:24:21 -07:00
Kconfig [S390] Kconfig: no wireless on s390. 2007-05-10 15:46:08 +02:00
Makefile [NET]: rfkill: add support for input key to control wireless radio 2007-05-07 00:34:20 -07:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c Remove SLAB_CTOR_CONSTRUCTOR 2007-05-17 05:23:04 -07:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE