I have made some modifications to the SELinux part of this patch
as well. These fall into three categories:
(1) removed unnecessary <0 checks on unsigned ints
(2) converted sec_ctx variables to uctx since the latter is used for
variables of the xfrm_user_sec_ctx data type
(3) check for the alg ra
This patch has been modified based on Herbert's comments. I also
added explicit length checking code to xfrm_user.c based on Herbert's
comments in the rest of the code.
Most of the other modifications are deletions of unnecessary checks
per Herbert's identification.
Regards,
Trent.
==
Resend of 20 July patch that repaired the flow_cache_lookup
authorization (now for 2.6.13-rc4-git4).
Verified that failed authorization results in a new resolution.
Note that the prior [PATCH 2/2] of 18 July works with this patch, so
there will be no resend of it. Please let me know if a resend
Fixed and tested flow_cache_lookup per previous comments.
Verified that failed authorization results in new resolution
correctly.
Note that the previous [PATCH 2/2] applies (only resending one
patch now). The SELinux LSM handles the case when the context
is null.
Regards,
Trent.
=
Some bug fixes to the SELinux patch.
Regards,
Trent.
==
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to
This patch adds LSM hooks to the XFRM subsystem code. This patch
differs from previous ones in that an authorizer function pointer
is passed to flow_cache_lookup in order to use LSM to authorize
previously cached entries -- as suggested in my reply to Herbert.
This approach is consistent with how
Patches for SELinux. Note that the patch applies to 2.6.13-rc2.
Regards,
Trent.
==
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems
The patch has been revised to attach the security context
to the xfrm_state and xfrm_policy rather than the selector.
The function xfrm_policy_bysel was only used to match policies
for addition/removal from SPD which now requires matching security
context as well. The function has been changed t