Re: [PATCH 1/2] LSM-IPSec Networking Hooks -- authorizing flow_cache_entry's

[Trent Jaeger]

I did this in too hurried a manner, sorry.

The basic idea that I wanted to convey is that multiple entries may 
succeed at flow_key_compare, but that only ones that are authorized are 
returned.  Since the 
cache is scanned sequentially, this approach seems acceptable to me. 
flow_key_compare is only used here and flow_cache_entry's are only used 
for xfrm_policy's, 
so it does not seem that any problems are caused by this assumption at 
present. 

If no authorizer is supplied, then the first entry is always returned as 
is the case now.

for (fle = *head; fle; fle = fle->next) {
187                 if (fle->family == family &&
188                     fle->dir == dir &&
189                     flow_key_compare(key, &fle->key) == 0) {
190                         if (fle->genid == atomic_read(&
flow_cache_genid)) {
191                                 void *ret = fle->object;
192 
+                                                          if (authorizer 
&& authorizer(sk, ret, key, dir) != 0)
+ continue;
+
193                                 if (ret)
194                                         atomic_inc(fle->object_ref);
195                                 local_bh_enable();
196 
197                                 return ret;
198                         }
199                         break;
200                 }
201         }

I need to verify that the selinux_xfrm_policy_lookup will correctly 
authorize an unlabelled context when the policy is null, but otherwise, 
this captures the intended modification.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Herbert Xu <[EMAIL PROTECTED]>
07/18/2005 06:07 PM
 
        To:     Trent Jaeger/Watson/[EMAIL PROTECTED]
        cc:     [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
netdev@vger.kernel.org, Serge E Hallyn/Austin/[EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED]
        Subject:        Re: [PATCH 1/2] LSM-IPSec Networking Hooks -- 
authorizing flow_cache_entry's


On Mon, Jul 18, 2005 at 01:50:33PM -0400, jaegert wrote:
>
> @@ -190,8 +191,9 @@ void *flow_cache_lookup(struct flowi *ke
>                                                if (fle->genid == 
atomic_read(&flow_cache_genid)) {
>                                                                void *ret 
= fle->object;
> 
> -                                                              if (ret)
> +                                                              if (ret 
&& (authorizer(sk, ret, key, dir) == 0))
>  atomic_inc(fle->object_ref);
> +
> local_bh_enable();
> 
>                                                                return 
ret;

Sorry, but I don't see how this can work.  If the authorizer call fails,
we still return that object, albeit without the reference count.

We need to ponder this a bit more.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html