[redhat-lspp] RE: Deleting xfrms
Venkat Yekkirala
vyekkirala at trustedcs.com
Mon Feb 19 17:37:40 UTC 2007
I see this bug crept in here:
http://marc.theaimsgroup.com/?l=linux-netdev&m=114956850915839&w=2
Are you planning to fix this or did you want me to?
> -----Original Message-----
> From: Joy Latten [mailto:latten at austin.ibm.com]
> Sent: Monday, February 12, 2007 5:40 PM
> To: jmorris at namei.org; vyekkirala at TrustedCS.com
> Cc: selinux at tycho.nsa.gov; redhat-lspp at redhat.com
> Subject: Deleting xfrms
>
>
> I was looking at a patch D.Miller posted for xfrm_audit_log()
> and could not help but notice that in pfkey_spddelete() and
> xfrm_get_policy() we delete policy first and then check to see if we
> have permissions to. Am I missing the original intentions or
> is this incorrect? Shouldn't it be check the permissions
> first and then
> call xfrm_policy_bysel_ctx()?
>
> pfkey_spddelete() in af_key.c:
>
> xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN,
> pol->sadb_x_policy_dir-1,
> &sel, tmp.security, 1);
> security_xfrm_policy_free(&tmp);
>
> xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
> AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0,
> xp, NULL);
>
> if (xp == NULL)
> return -ENOENT;
>
> err = 0;
>
> if ((err = security_xfrm_policy_delete(xp)))
> goto out;
> c.seq = hdr->sadb_msg_seq;
> c.pid = hdr->sadb_msg_pid;
> c.event = XFRM_MSG_DELPOLICY;
> km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
>
>
> xfrm_get_policy() in xfrm_user.c is very similar.
>
> Regards,
> Joy
>
More information about the redhat-lspp
mailing list