1
linux/include
Joy Latten 4aa2e62c45 xfrm: Add security check before flushing SAD/SPD
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

Signed-off-by: Joy Latten<latten@austin.ibm.com>
Signed-off-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@namei.org>
2007-06-07 13:42:46 -07:00
..
acpi Pull osi-now into release branch 2007-06-02 01:02:09 -04:00
asm-alpha ALPHA: misc fixes 2007-06-01 08:18:29 -07:00
asm-arm [ARM] 4394/1: ARMv7: Add the TLB range operations 2007-05-30 14:32:07 +01:00
asm-arm26 [ARM] use __used attribute 2007-05-30 13:15:06 +01:00
asm-avr32 [AVR32] Implement platform hooks for atmel_lcdfb driver 2007-05-15 14:13:27 +02:00
asm-blackfin Blackfin arch: Change NO_ACCESS_CHECK to ACCESS_CHECK 2007-05-21 09:50:23 -07:00
asm-cris Consolidate asm/poll.h 2007-05-11 08:29:34 -07:00
asm-frv Consolidate asm/poll.h 2007-05-11 08:29:34 -07:00
asm-generic sparc64: fix alignment bug in linker definition script 2007-05-29 21:29:00 +02:00
asm-h8300 h8300 trival patches 2007-06-01 08:18:29 -07:00
asm-i386 i386: fix early usage of atomic_add_return and local_add_return on real i386 2007-05-23 20:14:15 -07:00
asm-ia64 [IA64] Cleanup acpi header to reuse the generic _PDC defines 2007-05-24 10:15:06 -07:00
asm-m32r m32r: __xchg() should be always_inline 2007-05-15 18:56:37 -07:00
asm-m68k m68k: discontinuous memory support 2007-05-31 07:58:14 -07:00
asm-m68knommu
asm-mips Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
asm-parisc Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
asm-powerpc [POWERPC] Fix return from pte_alloc_one() in out-of-memory case 2007-06-02 21:01:56 +10:00
asm-ppc Merge branch 'linux-2.6' 2007-05-10 21:08:37 +10:00
asm-s390 [S390] Wire up signald, timerfd and eventfd syscalls. 2007-05-21 11:25:28 +02:00
asm-sh sh: trivial build cleanups. 2007-05-31 13:46:21 +09:00
asm-sh64 sh64: generic quicklist support. 2007-05-14 09:55:35 +09:00
asm-sparc [SPARC]: Emulate cmpxchg like parisc 2007-05-29 02:51:13 -07:00
asm-sparc64 [SPARC64]: Fill in gaps in non-PCI dma_*() NOP implementation. 2007-06-04 23:32:23 -07:00
asm-um uml: iRQ stacks 2007-05-11 08:29:34 -07:00
asm-v850 Consolidate asm/poll.h 2007-05-11 08:29:34 -07:00
asm-x86_64 Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
asm-xtensa Consolidate asm/poll.h 2007-05-11 08:29:34 -07:00
crypto
keys
linux [NETFILTER]: ip_tables: fix compat related crash 2007-06-07 13:40:32 -07:00
math-emu
media V4L/DVB (5592): DMA: Correctly free resources on error, sync PCI streamed data 2007-05-09 10:12:42 -03:00
mtd
net xfrm: Add security check before flushing SAD/SPD 2007-06-07 13:42:46 -07:00
pcmcia
rdma Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband 2007-05-21 16:19:32 -07:00
rxrpc
scsi
sound [ALSA] version 1.0.14 2007-05-31 11:03:27 +02:00
video atmel_lcdfb: AT91/AT32 LCD Controller framebuffer driver 2007-05-11 08:29:37 -07:00
Kbuild