Venkat Yekkirala wrote:
>>>+static int selinux_skb_policy_check(struct sk_buff *skb,
>>
>>unsigned short
>>
>>>family) +{
>>>+u32 xfrm_sid, trans_sid;
>>>+int err;
>>>+
>>>+if (selinux_compat_net)
>>>+return 1;
>>>+
>>>+err = selinux_xfrm_decode_session(skb, &xfrm_sid,
> > +static int selinux_skb_policy_check(struct sk_buff *skb,
> unsigned short
> > family) +{
> > + u32 xfrm_sid, trans_sid;
> > + int err;
> > +
> > + if (selinux_compat_net)
> > + return 1;
> > +
> > + err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
> > + BUG_ON(err);
>
On Friday 08 September 2006 12:50 pm, Venkat Yekkirala wrote:
> This defines SELinux enforcement of the 2 new LSM hooks.
{snip}
> +static int selinux_skb_policy_check(struct sk_buff *skb, unsigned short
> family) +{
> + u32 xfrm_sid, trans_sid;
> + int err;
> +
> + if (selinux_compat_
> On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
>
> > + if (selinux_compat_net) {
> > + err = selinux_xfrm_decode_session(skb, &peersid, 0);
> > + BUG_ON(err);
>
> I'm pretty sure this should not be a BUG_ON. IIUC, you want
> to panic the
> kernel because one of the nested
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
> This defines SELinux enforcement of the 2 new LSM hooks.
>
I think this looks ok in general (I have a couple more technical issues),
athough I believe that Stephen has some question about policy
construction.
Please rename these hooks:
+
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
> + if (selinux_compat_net) {
> + err = selinux_xfrm_decode_session(skb, &peersid, 0);
> + BUG_ON(err);
I'm pretty sure this should not be a BUG_ON. IIUC, you want to panic the
kernel because one of the nested SAs has a dif
This defines SELinux enforcement of the 2 new LSM hooks.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 125 --
security/selinux/include/xfrm.h |5 +
security/selinux/ss/mls.c |2
security/selinux/ss/services.c |
