> > @@ -2108,7 +2230,18 @@ static int pfkey_spddelete(struct sock * > > if (sel.dport) > > sel.dport_mask = ~0; > > > > - xp = xfrm_policy_bysel(pol->sadb_x_policy_dir-1, &sel, 1); > > + sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1]; > > + memset(&tmp, 0, sizeof(struct xfrm_policy)); > > + > > + if (sec_ctx != NULL) { > > + err = security_xfrm_policy_alloc( > > + &tmp, (struct xfrm_user_sec_ctx *)sec_ctx);
> What makes spddelete different from spdadd? spddelete takes a context string as input and we need to retrieve the policy that matches the selector (xfrm_policy_bysel) and the security context. The additional code checks the latter. I think that the conversion of the context string to a 'normalized' context struct must be done by the LSM before we can do this check as done above. I could hide this computation a bit better (it is also done for xfrm_user) to clean up the code. Regards, Trent. ------------------------------------------------------------ Trent Jaeger IBM T.J. Watson Research Center 19 Skyline Drive, Hawthorne, NY 10532 (914) 784-7225, FAX (914) 784-7225 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html