On Wed, 10 Jan 2007, Herbert Xu wrote: > Hi: > > [IPSEC] flow: Cache negative security checks
We did some work in this part of the code a few months back -- IIRC it was resolved correctly from a security point of view. (cc'ing Venkat & Paul for review). > > This patch causes security policy denials to be cached instead of > causing a relookup every time. This is OK because we already cache > positive security policy results which is strictly worse as far as > security is concerned. In particular, if the security system (not > IPsec policies but the rules under security/) changes such that a > positive result turns negative (denial), we will ignore it and > continue to allow traffic through based on the cached policy. > > So if the security folks actually care about this, they'd need to > flush the flow cache whenever a relevant change is made to the > security database. Whether this is done or not does not affect > this patch. > > Given that we do want to cache positive results even in the presence > of SELinux (otherwise we might as well disable flow.c entirely), it > is natural to cache negative results too. > > This patch also happens to fix a nasty bug where if an expiring > flow entry that's not at the head happens to trigger a security > denial, all entries before it are removed from the cache and > leaked. > > Signed-off-by: Herbert Xu <[EMAIL PROTECTED]> > > Cheers, > -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
