• C
    [LSM-IPsec]: SELinux Authorize · c8c05a8e
    Catherine Zhang 提交于
    This patch contains a fix for the previous patch that adds security
    contexts to IPsec policies and security associations.  In the previous
    patch, no authorization (besides the check for write permissions to
    SAD and SPD) is required to delete IPsec policies and security
    assocations with security contexts.  Thus a user authorized to change
    SAD and SPD can bypass the IPsec policy authorization by simply
    deleteing policies with security contexts.  To fix this security hole,
    an additional authorization check is added for removing security
    policies and security associations with security contexts.
    
    Note that if no security context is supplied on add or present on
    policy to be deleted, the SELinux module allows the change
    unconditionally.  The hook is called on deletion when no context is
    present, which we may want to change.  At present, I left it up to the
    module.
    
    LSM changes:
    
    The patch adds two new LSM hooks: xfrm_policy_delete and
    xfrm_state_delete.  The new hooks are necessary to authorize deletion
    of IPsec policies that have security contexts.  The existing hooks
    xfrm_policy_free and xfrm_state_free lack the context to do the
    authorization, so I decided to split authorization of deletion and
    memory management of security data, as is typical in the LSM
    interface.
    
    Use:
    
    The new delete hooks are checked when xfrm_policy or xfrm_state are
    deleted by either the xfrm_user interface (xfrm_get_policy,
    xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
    
    SELinux changes:
    
    The new policy_delete and state_delete functions are added.
    Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
    Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu>
    Acked-by: NJames Morris <jmorris@namei.org>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    c8c05a8e
xfrm_user.c 43.8 KB