diff options
author | Trent Jaeger <tjaeger@cse.psu.edu> | 2006-01-06 13:22:39 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-01-06 13:22:39 -0800 |
commit | 5f8ac64b15172c7ced7d7990eb28342092bc751b (patch) | |
tree | 63046817c9a6e8db513379337f01289c045a5d63 /security/selinux/xfrm.c | |
parent | 69549ddd2f894c4cead50ee2b60cc02990c389ad (diff) |
[LSM-IPSec]: Corrections to LSM-IPSec Nethooks
This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.
(1) free a security context on a failed insert via xfrm_user
interface in xfrm_add_policy. Memory leak.
(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto
to setcontext.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/xfrm.c')
-rw-r--r-- | security/selinux/xfrm.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c4d87d4dca7b..5b7776504e4c 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us * Must be permitted to relabel from default socket type (process type) * to specified context */ - rc = avc_has_perm(tsec->sid, tsec->sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELFROM, NULL); - if (rc) - goto out; - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELTO, NULL); + ASSOCIATION__SETCONTEXT, NULL); if (rc) goto out; |