[PATCH 2/2] LSM-IPSec Networking Hooks -- Minor mods

2005-08-11 Thread jaegert
I have made some modifications to the SELinux part of this patch as well. These fall into three categories: (1) removed unnecessary <0 checks on unsigned ints (2) converted sec_ctx variables to uctx since the latter is used for variables of the xfrm_user_sec_ctx data type (3) check for the alg ra

[PATCH 1/2] LSM-IPSec Networking Hooks -- mods based on Herbert's comments

2005-08-11 Thread jaegert
This patch has been modified based on Herbert's comments. I also added explicit length checking code to xfrm_user.c based on Herbert's comments in the rest of the code. Most of the other modifications are deletions of unnecessary checks per Herbert's identification. Regards, Trent. ==

[PATCH 1/2] LSM-IPSec Networking Hooks -- revised flow cache [resend]

2005-08-02 Thread jaegert
Resend of 20 July patch that repaired the flow_cache_lookup authorization (now for 2.6.13-rc4-git4). Verified that failed authorization results in a new resolution. Note that the prior [PATCH 2/2] of 18 July works with this patch, so there will be no resend of it. Please let me know if a resend

[PATCH 1/2] LSM-IPSec Networking Hooks -- revised flow_cache authorization

2005-07-20 Thread jaegert
Fixed and tested flow_cache_lookup per previous comments. Verified that failed authorization results in new resolution correctly. Note that the previous [PATCH 2/2] applies (only resending one patch now). The SELinux LSM handles the case when the context is null. Regards, Trent. =

[PATCH 2/2] LSM-IPSec Networking Hooks -- SELinux portion bug fixes

2005-07-18 Thread jaegert
Some bug fixes to the SELinux patch. Regards, Trent. == This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems that leverage IPSec security associations to

[PATCH 1/2] LSM-IPSec Networking Hooks -- authorizing flow_cache_entry's

2005-07-18 Thread jaegert
This patch adds LSM hooks to the XFRM subsystem code. This patch differs from previous ones in that an authorizer function pointer is passed to flow_cache_lookup in order to use LSM to authorize previously cached entries -- as suggested in my reply to Herbert. This approach is consistent with how

[PATCH 2/2] LSM-IPSec Networking Hooks

2005-07-06 Thread jaegert
Patches for SELinux. Note that the patch applies to 2.6.13-rc2. Regards, Trent. == This patch series implements per packet access control via the extension of the Linux Security Modules (LSM) interface by hooks in the XFRM and pfkey subsystems

[PATCH 1/2] LSM-IPSec Networking Hooks

2005-07-06 Thread jaegert
The patch has been revised to attach the security context to the xfrm_state and xfrm_policy rather than the selector. The function xfrm_policy_bysel was only used to match policies for addition/removal from SPD which now requires matching security context as well. The function has been changed t