q3k
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/include/net
History
Joy Latten 4aa2e62c45 xfrm: Add security check before flushing SAD/SPD 
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

Signed-off-by: Joy Latten<latten@austin.ibm.com>
Signed-off-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@namei.org>
 		2007-06-07 13:42:46 -07:00
..
bluetooth [Bluetooth] Fix L2CAP configuration parameter handling 2007-05-24 14:27:19 +02:00
irda include files: convert "include" subdirectory to UTF-8 2007-05-09 08:58:21 +02:00
iucv [AF_IUCV]: Implementation of a skb backlog queue 2007-05-04 12:22:07 -07:00
netfilter [NETFILTER]: nf_conntrack: Removes unused destroy operation of l3proto 2007-05-10 23:47:46 -07:00
sctp [SCTP]: Set assoc_id correctly during INIT collision. 2007-05-04 13:55:27 -07:00
tc_act [PKT_SCHED]: Kill pkt_act.h inlining. 2006-09-22 14:55:10 -07:00
tipc [TIPC]: endianness annotations 2006-12-02 21:21:08 -08:00
act_api.h [PKT_SCHED]: Kill pkt_act.h inlining. 2006-09-22 14:55:10 -07:00
addrconf.h [IPV6] ADDRCONF: Optimistic Duplicate Address Detection (RFC 4429) Support. 2007-04-25 22:23:43 -07:00
af_rxrpc.h [AF_RXRPC]: Add an interface to the AF_RXRPC module for the AFS filesystem to use 2007-04-26 15:50:17 -07:00
af_unix.h [AF_UNIX]: Make socket locking much less confusing. 2007-06-03 18:08:40 -07:00
ah.h [IPSEC]: Use HMAC template and hash interface 2006-09-21 11:46:18 +10:00
arp.h [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
atmclip.h [ATM]: Annotations. 2006-12-02 21:22:55 -08:00
ax25.h [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
cfg80211.h [WIRELESS] cfg80211: Update comment for locking. 2007-04-25 22:29:48 -07:00
checksum.h [NET]: Make mangling a checksum (0 -> 0xffff on the wire) explicit. 2006-12-02 21:23:39 -08:00
cipso_ipv4.h [SK_BUFF]: Introduce skb_network_header() 2007-04-25 22:24:59 -07:00
compat.h [NET]: Introduce SIOCGSTAMPNS ioctl to get timestamps with nanosec resolution 2007-04-25 22:24:04 -07:00
datalink.h
dn.h [NET]: Reduce sizeof(struct flowi) by 20 bytes. 2006-10-21 20:24:01 -07:00
dn_dev.h
dn_fib.h [DECNet]: Use rtnl registration interface 2007-04-25 22:27:12 -07:00
dn_neigh.h
dn_nsp.h
dn_route.h [DECNet]: Use rtnl registration interface 2007-04-25 22:27:12 -07:00
dsfield.h [NET]: IP header modifier helpers annotations. 2006-12-02 21:23:40 -08:00
dst.h [XFRM]: Allow packet drops during larval state resolution. 2007-05-24 18:17:54 -07:00
esp.h [NET]: Move generic skbuff stuff from XFRM code to generic code 2007-04-25 22:28:33 -07:00
fib_rules.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
flow.h [XFRM]: Restrict upper layer information by bundle. 2007-04-30 00:58:09 -07:00
gen_stats.h
genetlink.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
icmp.h [IPV4]: icmp_send() annotation 2006-09-28 18:01:06 -07:00
ieee80211.h [PATCH] ieee80211: add ieee80211_channel_to_freq 2007-05-08 11:51:59 -04:00
ieee80211_crypt.h [PATCH] Update my email address from jkmaline@cc.hut.fi to j@w1.fi 2007-04-28 11:01:01 -04:00
ieee80211_radiotap.h [PATCH] Remove comment about IEEE80211_RADIOTAP_FCS 2007-04-28 11:01:03 -04:00
ieee80211softmac.h WorkStruct: make allyesconfig 2006-11-22 14:57:56 +00:00
ieee80211softmac_wx.h
if_inet6.h [IPV6]: Per-interface statistics support. 2006-12-02 21:22:08 -08:00
inet6_connection_sock.h [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). 2007-01-26 01:04:55 -08:00
inet6_hashtables.h [INET]: Use jhash + random secret for ehash. 2007-04-25 22:28:06 -07:00
inet_common.h
inet_connection_sock.h [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). 2007-01-26 01:04:55 -08:00
inet_ecn.h [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
inet_hashtables.h [NET]: change layout of ehash table 2007-02-08 14:16:46 -08:00
inet_sock.h [INET]: Use jhash + random secret for ehash. 2007-04-25 22:28:06 -07:00
inet_timewait_sock.h [INET]: twcal_jiffie should be unsigned long, not int 2007-03-05 13:32:48 -08:00
inetpeer.h [IPV4] inet_peer: Group together avl_left, avl_right, v4daddr to speedup lookups on some CPUS 2006-10-20 00:28:35 -07:00
ip.h [TCP]: Honour sk_bound_dev_if in tcp_v4_send_ack 2007-06-07 13:38:51 -07:00
ip6_checksum.h [IPV6]: Dumb typo in generic csum_ipv6_magic() 2006-12-22 11:12:07 -08:00
ip6_fib.h [IPv6]: Use rtnl registration interface 2007-04-25 22:27:13 -07:00
ip6_route.h [IPv6]: Use rtnl registration interface 2007-04-25 22:27:13 -07:00
ip6_tunnel.h
ip_fib.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
ip_mp_alg.h [NET]: Rethink mark field in struct flowi 2006-12-02 21:21:39 -08:00
ip_vs.h [NET]: ipvs checksum annotations. 2006-12-02 21:23:41 -08:00
ipcomp.h [CRYPTO] users: Use crypto_comp and crypto_has_* 2006-09-21 11:46:22 +10:00
ipconfig.h [NET]: ipconfig and nfsroot annotations 2006-12-02 21:21:09 -08:00
ipip.h [IPV6] net/ipv6/sit.c: make 2 functions static 2006-12-02 21:26:15 -08:00
ipv6.h [XFRM]: Allow packet drops during larval state resolution. 2007-05-24 18:17:54 -07:00
ipx.h [SK_BUFF]: Introduce skb_transport_header(skb) 2007-04-25 22:25:31 -07:00
iw_handler.h [WEXT]: Clean up how wext is called. 2007-04-26 20:43:56 -07:00
lapb.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h [LLC]: add multicast support for datagrams 2006-06-17 21:26:08 -07:00
llc_pdu.h [SK_BUFF]: Introduce skb_network_header() 2007-04-25 22:24:59 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
mac80211.h [MAC80211]: Add mac80211 wireless stack. 2007-05-05 11:45:53 -07:00
mip6.h [IPV6] MIP6: Add receiving mobility header functions through raw socket. 2006-09-22 15:07:01 -07:00
ndisc.h [IPV6]: Misc endianness annotations. 2006-12-02 21:22:52 -08:00
neighbour.h [NEIGH]: Use rtnl registration interface 2007-04-25 22:27:06 -07:00
netdma.h Remove all inclusions of <linux/config.h> 2006-10-04 03:38:54 -04:00
netevent.h [NET]: Network Event Notifier Mechanism. 2006-08-02 13:38:20 -07:00
netlabel.h NetLabel: convert to an extensibile/sparse category bitmap 2006-12-02 21:31:36 -08:00
netlink.h [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
netrom.h [PATCH] mark struct file_operations const 1 2007-02-12 09:48:44 -08:00
nexthop.h [IPv4]: FIB configuration using struct fib_config 2006-09-22 14:55:04 -07:00
p8022.h
pkt_cls.h [SK_BUFF]: Convert skb->tail to sk_buff_data_t 2007-04-25 22:26:28 -07:00
pkt_sched.h [NET_SCHED]: Eliminate qdisc_tree_lock 2007-04-25 22:29:07 -07:00
protocol.h [INET]: Change protocol field in struct inet_protosw to u16 2006-12-02 21:30:55 -08:00
psnap.h
raw.h Merge git://git.infradead.org/hdrcleanup-2.6 2006-06-20 15:10:08 -07:00
rawv6.h [IPV6]: 'info' argument of ipv6 ->err_handler() is net-endian 2006-12-02 21:21:12 -08:00
red.h [NET_SCHED]: turn PSCHED_GET_TIME into inline function 2007-04-25 22:27:55 -07:00
request_sock.h [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
rose.h [PATCH] mark struct file_operations const 1 2007-02-12 09:48:44 -08:00
route.h [IPV4]: Convert ipv4 route to use the new dst_entry 'next' pointer 2007-02-10 23:20:38 -08:00
rtnetlink.h [NETLINK]: Possible cleanups. 2007-04-26 00:57:41 -07:00
sch_generic.h [NET_SCHED]: Unline tcf_destroy 2007-04-25 22:27:56 -07:00
scm.h [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch 2006-08-02 14:12:06 -07:00
slhc_vj.h
snmp.h [SCTP]: Extend /proc/net/sctp/snmp to provide more statistics. 2006-09-22 14:55:16 -07:00
sock.h [SOCK]: Shrink struct sock by 8 bytes on 64-bit. 2007-05-31 01:23:32 -07:00
syncppp.h
tcp.h [TCP]: Consolidate checking for tcp orphan count being too big. 2007-05-31 01:23:34 -07:00
tcp_ecn.h [TCP]: Sed magic converts func(sk, tp, ...) -> func(sk, ...) 2007-04-25 22:29:34 -07:00
tcp_states.h
timewait_sock.h [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
transp_v6.h [NET]: Supporting UDP-Lite (RFC 3828) in Linux 2006-12-02 21:22:46 -08:00
udp.h [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
udplite.h [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
wext.h [NET]: Fix networking compilation errors 2007-04-27 15:31:24 -07:00
wireless.h [WIRELESS] cfg80211: New wireless config infrastructure. 2007-04-25 22:29:41 -07:00
x25.h [X.25]: Adds /proc/sys/net/x25/x25_forward to control forwarding. 2007-02-08 13:34:36 -08:00
x25device.h [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
xfrm.h xfrm: Add security check before flushing SAD/SPD 2007-06-07 13:42:46 -07:00