summaryrefslogtreecommitdiff
path: root/arch/x86/tools
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-11-02 16:46:01 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2017-11-03 08:17:46 +0100
commitcf37966751747727629fe51fd4a1d4edd8457c60 (patch)
tree07bb582261d8a6e3700d15890d58dc093f135879 /arch/x86/tools
parentcb79a180f2e7eb51de5a4848652893197637bccb (diff)
xfrm: do unconditional template resolution before pcpu cache check
Stephen Smalley says: Since 4.14-rc1, the selinux-testsuite has been encountering sporadic failures during testing of labeled IPSEC. git bisect pointed to commit ec30d ("xfrm: add xdst pcpu cache"). The xdst pcpu cache is only checking that the policies are the same, but does not validate that the policy, state, and flow match with respect to security context labeling. As a result, the wrong SA could be used and the receiver could end up performing permission checking and providing SO_PEERSEC or SCM_SECURITY values for the wrong security context. This fix makes it so that we always do the template resolution, and then checks that the found states match those in the pcpu bundle. This has the disadvantage of doing a bit more work (lookup in state hash table) if we can reuse the xdst entry (we only avoid xdst alloc/free) but we don't add a lot of extra work in case we can't reuse. xfrm_pol_dead() check is removed, reasoning is that xfrm_tmpl_resolve does all needed checks. Cc: Paul Moore <paul@paul-moore.com> Fixes: ec30d78c14a813db39a647b6a348b428 ("xfrm: add xdst pcpu cache") Reported-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'arch/x86/tools')
0 files changed, 0 insertions, 0 deletions