> > @@ -2108,7 +2230,18 @@ static int pfkey_spddelete(struct sock *
> > if (sel.dport)
> > sel.dport_mask = ~0;
> >
> > - xp = xfrm_policy_bysel(pol->sadb_x_policy_dir-1, &sel,
1);
> > + sec_ctx = (struct sadb_x_sec_ctx *)
ext_hdrs[SADB_X_EXT_SEC_CTX-1];
> > + memset(&tmp, 0, sizeof(struct xfrm_policy));
> > +
> > + if (sec_ctx != NULL) {
> > + err = security_xfrm_policy_alloc(
> > + &tmp, (struct
xfrm_user_sec_ctx *)sec_ctx);
> What makes spddelete different from spdadd?
spddelete takes a context string as input and we need to retrieve the
policy that matches the selector (xfrm_policy_bysel) and the security
context. The additional code checks the latter. I think that the
conversion of the context string to a 'normalized' context struct must be
done by the LSM before we can do this check as done above.
I could hide this computation a bit better (it is also done for xfrm_user)
to clean up the code.
Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
